Security Bulletin: Multiple vulnerabilities in Bouncy Castle Crypto affect IBM Robotic Process Automation.

Summary Multiple vulnerabilities in Bouncy Castle Crypto affect IBM Robotic Process Automation. IBM Robotic Process Automation uses Bouncy Catle Crypto for some cryptographic processing. This bulletin identifies the security fixes to apply to address the vulnerabilities. Vulnerability Details...

CVE-2024-9907 QileCMS Verification Code Forget.php sendEmail password recovery

A vulnerability classified as problematic was found in QileCMS up to 1.1.3. This vulnerability affects the function sendEmail of the file /qilecms/user/controller/Forget.php of the component Verification Code Handler. The manipulation leads to weak password recovery. The attack can be initiated...

CVE-2024-9907 QileCMS Verification Code Forget.php sendEmail password recovery

A vulnerability classified as problematic was found in QileCMS up to 1.1.3. This vulnerability affects the function sendEmail of the file /qilecms/user/controller/Forget.php of the component Verification Code Handler. The manipulation leads to weak password recovery. The attack can be initiated...

CVE-2024-9907

CVE-2024-9907 affects QileCMS up to version 1.1.3, specifically the Verification Code Handler’s sendEmail functionality in /qilecms/user/controller/Forget.php. The issue allows manipulation that results in weak password recovery. Attacks are described as remote, with high attack complexity and di...

CVE-2024-30172

A flaw was found in the Bouncy Castle Java Cryptography APIs. Affected versions of this package are vulnerable to an Infinite loop issue in ED25519 verification in the ScalarUtil class. This flaw allows an attacker to send a malicious signature and public key to trigger a denial of service...

Bouncy Castle crafted signature and public key can be used to trigger an infinite loop

An issue was discovered in Bouncy Castle Java Cryptography APIs starting in 1.73 and before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key...

CVE-2024-30172

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key...

CVE-2024-30172

CVE-2024-30172 refers to a vulnerability in Bouncy Castle Java Cryptography APIs prior to 1.78 where an Ed25519 verification path can enter an infinite loop when processing a crafted signature and public key. The connected IBM security bulletin confirms the same CVE-ID and recommends upgrading to...

CVE-2023-49443

DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack...

PT-2023-31228 · Doracms · Doracms

Name of the Vulnerable Software and Affected Versions: DoraCMS version 2.1.8 Description: The issue allows attackers to gain access to the application via a bruteforce attack due to the re-use of the same code for verification of valid usernames and passwords. Recommendations: For DoraCMS version...

CVE-2023-43650

JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code,...

Authentication flaw

JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code,...

CVE-2023-43650 Non-MFA account takeover via brute-force attack on weak password reset code in jumpserver

JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code,...

CVE-2023-43650 Non-MFA account takeover via brute-force attack on weak password reset code in jumpserver

JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code,...

CVE-2023-43650 Non-MFA account takeover via brute-force attack on weak password reset code in jumpserver

JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code,...

PT-2023-28901 · Unknown · Jumpserver

Name of the Vulnerable Software and Affected Versions: JumpServer versions prior to 2.28.20 JumpServer versions prior to 3.7.1 Description: The verification code for resetting a user's password in JumpServer is vulnerable to brute-force attacks due to the absence of rate limiting. This allows for...

"Unable to process your request" error while registering for two-factor authentication

Registerfor two-factor authentication by using the following steps: ------- 1. Open a browser, navigate to the Workspace sign-in page, and select Don’t have a token? 2. Enter their user name in the domain\username format or their company email address and select Next. Citrix Cloud then sends the...

Mars: Response Manipulation lead to bypass verification code while making appointment at `█████████`

The vulnerability allowed bypassing the verification code when making an appointment at █████████. The response could be manipulated to change the verification check from false to true, enabling the appointment to be completed without the correct code...

No rate limit on "resend email feature" while enable or disable 2FA from /prefs/mfa endpoint

Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...

No rate limit on email triggering during "resend email" action results in email flooding or a spam attack or a financial loss to the company itself

Description When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails throug...