Lucene search
K

2549 matches found

OSV
OSV
added 2025/12/11 5:16 a.m.4 views

UBUNTU-CVE-2025-11984

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions...

6.8CVSS5.8AI score0.00274EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/12/11 4:4 a.m.4 views

CVE-2025-11984 Authentication Bypass Using an Alternate Path or Channel in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions...

6.8CVSS6.6AI score0.00274EPSS
Exploits0References3
CVE
CVE
added 2025/12/11 4:4 a.m.15 views

CVE-2025-11984

GitLab CE/EE had an authentication bypass vulnerability (CVE-2025-11984) where an authenticated user could bypass WebAuthn 2FA by manipulating session state under certain conditions. Affected versions: 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2. Remediation is via patched rele...

6.8CVSS6.6AI score0.00274EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2025/12/11 4:4 a.m.29 views

CVE-2025-11984 Authentication Bypass Using an Alternate Path or Channel in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions...

6.8CVSS0.00274EPSS
Exploits0References3
OSV
OSV
added 2025/12/11 4:4 a.m.6 views

CVE-2025-11984 Authentication Bypass Using an Alternate Path or Channel in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions...

6.8CVSS6.9AI score0.00274EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2025/12/09 12:29 p.m.29 views

CVE-2025-42615

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS7AI score0.00324EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/09 8:27 a.m.9 views

CVE-2025-66558

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...

4.3CVSS6.6AI score0.00226EPSS
Exploits0References1
NVD
NVD
added 2025/12/08 12:16 p.m.4 views

CVE-2025-42615

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS0.00324EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/08 12:1 p.m.4 views

EUVD-2025-201703

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS6.5AI score0.00324EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/12/08 12:1 p.m.3 views

CVE-2025-42615 Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS6.6AI score0.00324EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/12/08 12:0 a.m.5 views

PT-2025-49549

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS7AI score0.00324EPSS
Exploits0References2
NVD
NVD
added 2025/12/05 6:15 p.m.4 views

CVE-2025-66558

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...

4.3CVSS0.00226EPSS
Exploits0References4
EUVD
EUVD
added 2025/12/05 6:0 p.m.5 views

EUVD-2025-201460

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...

3.1CVSS6.1AI score0.00226EPSS
Exploits0References4
OSV
OSV
added 2025/12/05 6:0 p.m.7 views

CVE-2025-66558 Nextcloud Twofactor WebAuthn app was updated based on public key

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...

3.1CVSS6.5AI score0.00226EPSS
Exploits0References6
CNNVD
CNNVD
added 2025/12/05 12:0 a.m.6 views

WebAuthn second factor provider for Nextcloud 安全漏洞

WebAuthn second factor provider for Nextcloud is an open source two-factor authentication software from Nextcloud. A security vulnerability exists in WebAuthn second factor provider for Nextcloud versions prior to 1.4.2 and prior to 2.4.1, which stems from a lack of ownership checking and could...

4.3CVSS6.6AI score0.00226EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/05 12:0 a.m.5 views

PT-2025-49302

Name of the Vulnerable Software and Affected Versions Nextcloud Twofactor WebAuthn versions prior to 1.4.2 Nextcloud Twofactor WebAuthn versions prior to 2.4.1 Description A missing ownership check allows an attacker to remove a user's WebAuthn two-factor authentication device by correctly guessi...

4.3CVSS6.7AI score0.00226EPSS
Exploits0References9
Patchstack
Patchstack
added 2025/12/02 10:3 a.m.11 views

WordPress WP 2FA plugin <= 2.9.3 - 2-Factor Authentication Bypass vulnerability

2-Factor Authentication Bypass vulnerability discovered by Benjamin Nadarević in WordPress Plugin WP 2FA versions = 2.9.3...

6.3CVSS6.7AI score0.00179EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2025/12/02 12:36 a.m.5 views

EUVD-2025-200110

Grav is vulnerable to Arbitrary File Read...

8.5CVSS6.4AI score0.00397EPSS
Exploits1References3
CVE
CVE
added 2025/12/01 9:19 p.m.12 views

CVE-2025-66300

Grav is a file-based CMS affected by CVE-2025-66300. A low-privilege user with page-editing rights could exploit path traversal via the Frontmatter form to read server files, including Grav user accounts located at /grav/user/accounts/*.yaml, exposing password hashes, 2FA secrets, and password-re...

8.5CVSS6.4AI score0.00397EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2025/12/01 9:19 p.m.5 views

CVE-2025-66300 Grav is vulnerable to Arbitrary File Read

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files /grav/user/accounts/.yaml, which store hashed user password, 2FA secret, and the password...

8.5CVSS0.00397EPSS
Exploits1References2
Rows per page
Query Builder