CVE-2025-6433

CVE-2025-6433 describes a WebAuthn behavior where, if a user visits a page with an invalid TLS certificate and grants an exception, the page could present a WebAuthn challenge, violating WebAuthN’s requirement for a secure transport. Affected products include Mozilla Firefox and Thunderbird prior...

CVE-2025-6433

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This...

Mozilla Firefox 安全漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in Mozilla Firefox versions prior to 140, which stems from allowing WebAuthn challenges despite invalid TLS certificates, which could lead to security risks...

PT-2025-26730

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 140 Description: The issue arises when a user visits a webpage with an invalid TLS certificate and grants an exception. In this scenario, the webpage can provide a WebAuthn challenge that the user is prompted to...

Astra Linux – Vulnerability in Firefox

If a user visited a webpage with an invalid TLS certificate and granted an exception, the webpage was able to present a WebAuthn challenge that the user was prompted to complete. This violates the WebAuthN specification, which requires a secure transport connection without errors. This...

TencentOS Server 3: thunderbird (TSSA-2024:0241)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0241 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

CVE-2024-9023

The WP-WebAuthn plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wwaloginform shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-47650

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Axton WP-WebAuthn wp-webauthn allows Stored XSS.This issue affects WP-WebAuthn: from n/a through = 1.3.1...

CVE-2023-44039

In VeridiumID before 3.5.0, the WebAuthn API allows an internal unauthenticated attacker who can pass enrollment verifications and is allowed to enroll a FIDO key to register their FIDO authenticator to a victim’s account and consequently take over the account...

CVE-2021-38299

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence...

CVE-2024-12225

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default...

CVE-2024-12225

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default...

CVE-2024-12225 Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default...

CVE-2024-12225 Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default...

CVE-2024-12225

CVE-2024-12225 affects Quarkus, specifically the quarkus-security-webauthn module. The vulnerability arises because default REST endpoints for user registration/login remain accessible when developers add custom endpoints, potentially allowing an attacker to obtain a login cookie with no correspo...

Quarkus 安全漏洞

Quarkus is a cloud-native Linux container-first framework for writing Java applications from the Quarkus open source. A security vulnerability exists in Quarkus that stems from an undisabled default REST endpoint in the quarkus-security-webauthn module, which could lead to arbitrary user login...

PT-2025-19841

Name of the Vulnerable Software and Affected Versions Quarkus affected versions not specified Description A vulnerability was found in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in, and when developers provi...

State-of-the-art phishing: MFA bypass

Cybercriminals are bypassing multi-factor authentication MFA using adversary-in-the-middle AiTM attacks via reverse proxies, intercepting credentials and authentication cookies. The developers behind Phishing-as-a-Service PhaaS kits like Tycoon 2FA and Evilproxy have added features to make them...

CVE-2025-24180

The issue was addressed with improved input validation. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, watchOS 11.4. A malicious website may be able to claim WebAuthn credentials from another website that shares a registrable suffix...

CVE-2025-24180

The issue was addressed with improved input validation. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A malicious website may be able to claim WebAuthn credentials from another website that shares a registrable suffix...