CVE-2012-0286

Cross-site request forgery CSRF vulnerability in Stoneware webNetwork before 6.0.8.0 allows remote attackers to hijack the authentication of unspecified victims for requests that modify user accounts...

CVE-2010-5093

MemberProfileForm in security/Member.php in SilverStripe 2.3.x before 2.3.7 allows remote attackers to hijack user accounts by saving data using the email address ID of another user...

CVE-2005-4688

PunBB 1.2.9 does not require password entry when changing the e-mail address in an account's profile, which might allow an attacker to make an address change via a hijacked login session...

CVE-2025-3759

Endpoint /cgi-bin-igd/netcoreset.cgi which is used for changing device configuration is accessible without authentication. This poses a significant security threat allowing for e.g: administrator account hijacking or AP password changing. The vendor was contacted early about this disclosure but d...

PT-2025-20372 · Netis Systems · Wf2220

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The endpoint /cgi-bin-igd/netcore set.cgi is used for changing device configuration and is accessible without authentication, posing a significant security threat. This could allow for...

SoftCOM iKSORIS 授权问题漏洞

SoftCOM iKSORIS is an application from SoftCOM, Inc. An authorization issue vulnerability exists in SoftCOM iKSORIS versions prior to 79.0 that stems from allowing arbitrary session cookie values to be set, which could lead to account hijacking...

Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes

Multiple Russia-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal to gain unauthorized access to their accounts. "The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is t...

CVE-2020-26236

In ScratchVerifier before commit a603769, an attacker can hijack the verification process to log into someone else's account on any site that uses ScratchVerifier for logins. A possible exploitation would follow these steps: 1. User starts login process. 2. Attacker attempts login for user, and i...

CVE-2024-3574

In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across...

CVE-2024-30264

Typebot is an open-source chatbot builder. A reflected cross-site scripting XSS in the sign-in page of typebot.io prior to version 2.24.0 may allow an attacker to hijack a user's account. The sign-in page takes the redirectPath parameter from the URL. If a user clicks on a link where the...

CVE-2024-23830

MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user's email address and username can hijack the user's account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround,...

CVE-2024-45404

OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the...

No need to RSVP: a closer look at the Tria stealer campaign

Introduction Since mid-2024, we've observed a malicious Android campaign leveraging wedding invitations as a lure to social-engineer victims into installing a malicious Android app APK, which we have named "Tria Stealer" after unique strings found in campaign samples. The primary targets of the...

Account Hijacking

joelbutcher/socialstream is vulnerable to insufficient confirmation during account linking. The vulnerability is due to the lack of a confirmation step during account linking and the use of -stateless in the Socialite configuration, which bypasses state verification, allowing an attacker to link...

CVE-2024-1610 OPPO Store app include remote account token hijacking and sensitive information leakage

In OPPO Store APP, there's a possible escalation of privilege due to improper input validation...

CVE-2024-45404 OpenCTI's lack of Rate Limit lead to OTP brute forcing

OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the...

CVE-2024-45404 OpenCTI's lack of Rate Limit lead to OTP brute forcing

OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the...

CVE-2024-45404

CVE-2024-45404 affects OpenCTI prior to 6.2.18. The root cause is the absence of rate limiting on the OTP mechanism, specifically the otpLogin mutation, enabling an attacker with valid credentials (or a malicious insider) to bypass two-factor authentication and hijack an account. Evidence from mu...

CVE-2024-45404 OpenCTI's lack of Rate Limit lead to OTP brute forcing

OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the...

PT-2024-31608 · Opencti · Opencti

Name of the Vulnerable Software and Affected Versions: OpenCTI versions prior to 6.2.18 Description: The issue affects the two-factor authentication mechanism in OpenCTI, an open-source cyber threat intelligence platform. Due to the lack of a function to limit the rate of One Time Passwords OTPs,...