Lucene search
K

2549 matches found

CVE
CVE
added 2025/10/30 9:19 p.m.16 views

CVE-2025-34249

CVE-2025-34249 relates to Nagios Fusion prior to 2024R2.1 and describes a brute-force bypass of the 2FA implementation due to inadequate rate limiting/account lockout, enabling repeated second-factor attempts and potential authentication compromise. Red Hat and ENISA references corroborate a 2FA ...

6.5AI score0.01561EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2025/10/30 9:19 p.m.2 views

CVE-2025-34249

...

6.5AI score0.01561EPSS
Exploits0
OSV
OSV
added 2025/10/30 8:15 p.m.2 views

CVE-2025-8850

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...

8.8CVSS6.9AI score
Exploits0References2
NVD
NVD
added 2025/10/30 8:15 p.m.3 views

CVE-2025-8850

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...

8.8CVSS0.00419EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/10/30 7:59 p.m.5 views

CVE-2025-8850 Insecure API Design in danny-avila/librechat

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...

3.1CVSS6.5AI score0.00419EPSS
Exploits1References2
CVE
CVE
added 2025/10/30 7:59 p.m.10 views

CVE-2025-8850

CVE-2025-8850 affects librechat 0.7.9. The backend fails to properly validate OTP/backup codes when calling the /api/auth/2fa/disable endpoint, allowing an authenticated user to disable 2FA without completing the required verification. This insecure API design can weaken the user’s account securi...

8.8CVSS6.5AI score0.00419EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2025/10/30 7:59 p.m.6 views

CVE-2025-8850 Insecure API Design in danny-avila/librechat

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...

3.1CVSS0.00419EPSS
Exploits1References2
CNNVD
CNNVD
added 2025/10/30 12:0 a.m.5 views

LibreChat 安全漏洞

LibreChat is an enhanced ChatGPT clone by Danny Avila Personal Developer. A security vulnerability exists in LibreChat version 0.7.9, which stems from a failure to properly validate the OTP or backup code during the 2FA disablement process, which could result in reduced account security...

8.8CVSS4.5AI score0.00419EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2025/10/30 12:0 a.m.4 views

PT-2025-44461

Name of the Vulnerable Software and Affected Versions Nagios Fusion versions prior to 2024R2.1 Description The application lacks proper rate limiting or account lockout mechanisms for repeated failed Two-Factor Authentication 2FA verification attempts. This allows a remote attacker to repeatedly...

9.8CVSS6.7AI score0.01561EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2025/10/30 12:0 a.m.2 views

PT-2025-44512

Name of the Vulnerable Software and Affected Versions Nagios Fusion versions prior to R2.1 Description The application does not require re-authentication or session rotation when a user enables two-factor authentication 2FA. This allows an attacker who has obtained a valid session to continue usi...

8.6CVSS6.9AI score0.00292EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2025/10/30 12:0 a.m.4 views

PT-2025-44458

Name of the Vulnerable Software and Affected Versions librechat version 0.7.9 Description The software has an insecure API design in the 2-Factor Authentication 2FA flow. The system permits users to disable 2FA without a valid One-Time Password OTP or backup code, circumventing the verification...

8.8CVSS4.3AI score0.00419EPSS
Exploits1References7
OSV
OSV
added 2025/10/29 10:21 p.m.3 views

GHSA-CFJQ-28R2-4JV5 Zitadel May Bypass Second Authentication Factor

Summary A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified. Impact Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens...

8.7CVSS7.3AI score0.00336EPSS
Exploits0References5
CVE
CVE
added 2025/10/29 6:43 p.m.17 views

CVE-2025-64103

CVE-2025-64103 concerns Zitadel where, starting from versions 2.53.6, 2.54.3, and 2.55.0, MFA could be bypassed if the login policy did not explicitly require MFA, allowing sessions authenticated with a single factor to remain valid. An attacker could target a six‑digit TOTP code and bypass passw...

9.8CVSS7.1AI score0.00336EPSS
Exploits0References2Affected Software1
Malwarebytes
Malwarebytes
added 2025/10/29 12:8 p.m.4 views

Gmail breach panic? It’s a misunderstanding, not a hack

After a misinterpretation of an interview with a security researcher, several media outlets hinted at a major Gmail breach. Reporters claimed the incident took place in April. In reality, the researcher had said there was an enormous amount of Gmail usernames and passwords circulating on the dark...

6.9AI score
Exploits0
RedhatCVE
RedhatCVE
added 2025/10/28 12:27 a.m.6 views

CVE-2025-60425

Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack...

8.6CVSS7AI score0.00935EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/27 6:31 p.m.5 views

EUVD-2025-36198

Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack...

8.6CVSS6.5AI score0.00935EPSS
Exploits0References4
NVD
NVD
added 2025/10/27 4:15 p.m.5 views

CVE-2025-60425

Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack...

8.6CVSS0.00935EPSS
Exploits0References3
OSV
OSV
added 2025/10/27 4:15 p.m.4 views

CVE-2025-60425

Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack...

8.6CVSS5.8AI score0.00935EPSS
Exploits0References3
The Hacker News
The Hacker News
added 2025/10/27 4:12 p.m.4 views

X Warns Users With Security Keys to Re-Enroll Before November 10 to Avoid Lockouts

Social media platform X is urging users who have enrolled for two-factor authentication 2FA using passkeys and hardware security keys like Yubikeys to re-enroll their key to ensure continued access to the service. To that end, users are being asked to complete the re-enrollment, either using thei...

7.2AI score
Exploits0
NVD
NVD
added 2025/10/27 3:15 p.m.8 views

CVE-2025-61482

Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets,...

7.2CVSS0.00139EPSS
Exploits0References2
Rows per page
Query Builder