222 matches found
Lord of Large Language Models vulnerable to Observable Discrepancy attack via authenticate_user function
The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...
CVE-2025-6386
The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...
CVE-2025-6386
The CVE relates to parisneo/lollms, where the authenticate_user function in lollms_authentication.py is vulnerable to a timing attack that enables username enumeration and incremental password guessing. The root cause is the use of Python’s default string equality operator, which compares charact...
GHSA-4QJH-9FV9-R85R Potential Timing Side-Channel Vulnerability in vLLM’s Chunk-Based Prefix Caching
This issue arises from the prefix caching mechanism, which may expose the system to a timing side-channel attack. Description When a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT Time to First...
GHSA-424X-CXVH-WQ9P Mautic allows user name enumeration due to response time difference on password reset form
Summary This advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames. User Enumeration via Timing Attack: A user enumeration vulnerability exists in the...
CVE-2024-21671
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this...
CVE-2024-26268
User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by...
CVE-2024-45052
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it...
CVE-2023-30458
A username enumeration issue was discovered in Medicine Tracker System 1.0. The login functionality allows a malicious user to guess a valid username due to a different response time from invalid usernames. When one enters a valid username, the response time increases depending on the length of t...
CVE-2022-36105
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that observing response time during user authentication backend and frontend can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd part...
CVE-2020-9389
A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a different response time from invalid usernames...
CVE-2019-13599
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times...
Alibaba Cloud Linux 3 : 0019: gnutls (ALINUX3-SA-2024:0019)
The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2024:0019 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2023-5981: A vulnerability was found that the...
Adaptive Security Policy Management in Cloud Environments Using Reinforcement Learning
The security of cloud environments, such as Amazon Web Services AWS, is complex and dynamic. Static security policies have become inadequate as threats evolve and cloud resources exhibit elasticity 1. This paper addresses the limitations of static policies by proposing a security policy managemen...
AI-Driven IRM: Transforming Insider Risk Management with Adaptive Scoring and LLM-Based Threat Detection
Insider threats pose a significant challenge to organizational security, often evading traditional rule-based detection systems due to their subtlety and contextual nature. This paper presents an AI-powered Insider Risk Management IRM system that integrates behavioral analytics, dynamic risk...
Timing attacks to guess password in lollms_authentication.py
Description The authenticateuser function in /server/endpoints/lollmsauthentication.py is vulnerable to timing attacks that can be exploited to: Enumerate valid usernames. Guess passwords incrementally by analyzing response time differences. Explanation of the vulnerability def...
CVE-2024-7779
A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression Denial of Service ReDoS by manipulating regular expressions. This can significantly slow down the application's response time and potentially render it completely unusable...
How to Automate Security Questionnaires and Reduce Response Time
Security questionnaires take a lot of time and repetitively answering the same questions manually chews up business time…...
CVE-2024-54772
An issue was discovered in the Winbox service of MikroTik RouterOS long-term release v6.43.13 through v6.49.13 and stable v6.43 through v7.17.2. A patch is available in the stable release v6.49.18. A discrepancy in response size between connection attempts made with a valid username and those wit...
CVE-2024-54772
Summary: MikroTik RouterOS Winbox exposes a username-enumeration flaw due to a timing/response-size discrepancy. Affected: long-term 6.43.13–6.49.13 and stable 6.43–7.17.2; patch available in stable 6.49.18 (and upgrade to 7.18+). Practical impact: enables attackers to enumerate valid accounts. R...