2549 matches found
CVE-2025-34249
CVE-2025-34249 relates to Nagios Fusion prior to 2024R2.1 and describes a brute-force bypass of the 2FA implementation due to inadequate rate limiting/account lockout, enabling repeated second-factor attempts and potential authentication compromise. Red Hat and ENISA references corroborate a 2FA ...
CVE-2025-34249
...
CVE-2025-8850
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...
CVE-2025-8850
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...
CVE-2025-8850 Insecure API Design in danny-avila/librechat
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...
CVE-2025-8850
CVE-2025-8850 affects librechat 0.7.9. The backend fails to properly validate OTP/backup codes when calling the /api/auth/2fa/disable endpoint, allowing an authenticated user to disable 2FA without completing the required verification. This insecure API design can weaken the user’s account securi...
CVE-2025-8850 Insecure API Design in danny-avila/librechat
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...
LibreChat 安全漏洞
LibreChat is an enhanced ChatGPT clone by Danny Avila Personal Developer. A security vulnerability exists in LibreChat version 0.7.9, which stems from a failure to properly validate the OTP or backup code during the 2FA disablement process, which could result in reduced account security...
PT-2025-44461
Name of the Vulnerable Software and Affected Versions Nagios Fusion versions prior to 2024R2.1 Description The application lacks proper rate limiting or account lockout mechanisms for repeated failed Two-Factor Authentication 2FA verification attempts. This allows a remote attacker to repeatedly...
PT-2025-44512
Name of the Vulnerable Software and Affected Versions Nagios Fusion versions prior to R2.1 Description The application does not require re-authentication or session rotation when a user enables two-factor authentication 2FA. This allows an attacker who has obtained a valid session to continue usi...
PT-2025-44458
Name of the Vulnerable Software and Affected Versions librechat version 0.7.9 Description The software has an insecure API design in the 2-Factor Authentication 2FA flow. The system permits users to disable 2FA without a valid One-Time Password OTP or backup code, circumventing the verification...
GHSA-CFJQ-28R2-4JV5 Zitadel May Bypass Second Authentication Factor
Summary A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified. Impact Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens...
CVE-2025-64103
CVE-2025-64103 concerns Zitadel where, starting from versions 2.53.6, 2.54.3, and 2.55.0, MFA could be bypassed if the login policy did not explicitly require MFA, allowing sessions authenticated with a single factor to remain valid. An attacker could target a six‑digit TOTP code and bypass passw...
Gmail breach panic? It’s a misunderstanding, not a hack
After a misinterpretation of an interview with a security researcher, several media outlets hinted at a major Gmail breach. Reporters claimed the incident took place in April. In reality, the researcher had said there was an enormous amount of Gmail usernames and passwords circulating on the dark...
CVE-2025-60425
Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack...
EUVD-2025-36198
Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack...
CVE-2025-60425
Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack...
CVE-2025-60425
Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack...
X Warns Users With Security Keys to Re-Enroll Before November 10 to Avoid Lockouts
Social media platform X is urging users who have enrolled for two-factor authentication 2FA using passkeys and hardware security keys like Yubikeys to re-enroll their key to ensure continued access to the service. To that end, users are being asked to complete the re-enrollment, either using thei...
CVE-2025-61482
Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets,...