Code injection

In ScratchVerifier before commit a603769, an attacker can hijack the verification process to log into someone else's account on any site that uses ScratchVerifier for logins. A possible exploitation would follow these steps: 1. User starts login process. 2. Attacker attempts login for user, and i...

CVE-2020-26236 Verification Code Hijacking in ScratchVerifier

In ScratchVerifier before commit a603769, an attacker can hijack the verification process to log into someone else's account on any site that uses ScratchVerifier for logins. A possible exploitation would follow these steps: 1. User starts login process. 2. Attacker attempts login for user, and i...

CVE-2020-26236

The CVE-2020-26236 vulnerability affects ScratchVerifier and describes a verification-code hijack during login. According to Red Hat/CVE listings and cross-referenced sources, before commit a603769 an attacker can hijack a user’s login flow on any site using ScratchVerifier: the attacker initiate...

Logic Flaw Vulnerability in Situ CMS

Situ CMS is the short name of Situ Tourism Website Management System, which is a self-developed website management system applicable to the construction of tourism websites. A logic flaw vulnerability exists in Situ CMS. The vulnerability is due to the system does not limit the number of times th...

Logic Flaw Vulnerability in Situ CMS (CNVD-2020-64768)

Situ CMS is the short name of Situ Tourism Website Management System, which is a self-developed website management system applicable to the construction of tourism websites. There is an arbitrary user password reset vulnerability in Situ CMS. The vulnerability is due to the system does not limit...

Security update for singularity (important)

openSUSE Security Update: Security update for singularity Announcement ID: openSUSE-SU-2020:1100-1 Rating: important References: 1174148 1174150 1174152 Cross-References: CVE-2020-13845 CVE-2020-13846 CVE-2020-13847 Affected Products: openSUSE Backports SLE-15-SP2 An update that fixes three...

ecshop mall website builder system has a logic flaw vulnerability

Business Pie Software Ltd. is a professional e-commerce service and technology provider. ecshop mall station-building system there are logical flaws vulnerabilities, attackers can modify the user password by bursting the verification code to achieve any password reset effect...

CVE-2020-10876

The OKLOK 3.1.1 mobile companion app for Fingerprint Bluetooth Padlock FB50 2.3 does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute...

CVE-2020-6862

V6.0.10P2T2 and V6.0.10P2T5 of F6x2W product are impacted by Information leak vulnerability. Unauthorized users could log in directly to obtain page information without entering a verification code...

Information disclosure

V6.0.10P2T2 and V6.0.10P2T5 of F6x2W product are impacted by Information leak vulnerability. Unauthorized users could log in directly to obtain page information without entering a verification code...

Clario: Account Takeover because of the mis-configuration on the Password Reset Page

Summary https://api.account.opendoor.ltd has no rate-limit on the password reset's verification page. By this, I can take over any account. All I need to know is victim's email address. Step to reproduce 1. There is an endpoint - POST /v1/verification-code/forgot-password which will take POST dat...

Mail.ru: Account Takeover at worki.ru

One time code reuse between registration and authentication in combination with insufficient bruterofce protection allowed account access via verification code bruteforce for worki.ru. Common flaws of SMS auth: https://blog.deteact.com/common-flaws-of-sms-auth/...

pixiv: Reset any password

Summary: When I try to reset the password, the verification code of the mailbox is 6 digits, and there is no limit on the number of submissions, so I can reset the password of any user. Steps To Reproduce: 1.input the email reset password url. F595146 click the "submit" button F595147 input the...

CVE-2019-8909

An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service resource consumption via crafted dimensions for the verification code image...

Code injection

An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service resource consumption via crafted dimensions for the verification code image...

Security Advisory - Smart SMS Verification Code Vulnerability in Some Huawei Smart Phones

There is a smart SMS verification code vulnerability in some Huawei smart phones. An attacker should trick a user to access malicious Website or malicious App and register. Due to incorrect processing of the smart SMS verification code, successful exploitation can cause sensitive information leak...

CVE-2018-18825

Pagoda Linux panel V6.0 has XSS via the verification code associated with an invalid account login. A crafted code is mishandled during rendering of the login log...

Design/Logic Flaw

Pagoda Linux panel V6.0 has XSS via the verification code associated with an invalid account login. A crafted code is mishandled during rendering of the login log...

CVE-2018-18825

Pagoda Linux panel V6.0 has XSS via the verification code associated with an invalid account login. A crafted code is mishandled during rendering of the login log...

CVE-2018-18825

Pagoda Linux panel V6.0 has XSS via the verification code associated with an invalid account login. A crafted code is mishandled during rendering of the login log...