41 matches found
PT-2025-43552
Name of the Vulnerable Software and Affected Versions Frontier Airlines website affected versions not specified Description The Frontier Airlines website has a publicly available endpoint that allows validation of whether an email address is associated with an account. An unauthenticated, remote...
EUVD-2018-0963
Malware in sbrugna...
CVE-2025-35436 CISA Thorium account verification email error handling
CISA Thorium uses '.unwrap' to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27...
CVE-2025-35432 CISA Thorium does not rate limit account verification email messages
CISA Thorium does not rate limit requests to send account verification email messages. A remote unauthenticated attacker can send unlimited messages to a user who is pending verification. Fixed in 1.1.1 by adding a rate limit set by default to 10 minutes...
PT-2025-19982 · Umbraco · Umbraco
Name of the Vulnerable Software and Affected Versions: Umbraco versions prior to 10.8.10 Umbraco versions prior to 13.8.1 Description: The issue allows an attacker to determine whether an account exists based on an analysis of the timing of post login API responses. No known workarounds are...
CVE-2023-7293
The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the checkmollieaccountdetails function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with...
CVE-2024-4185
The Customer Email Verification for WooCommerce plugin for WordPress (emails-verification-for-woocommerce) contains an Email Verification and Authentication Bypass in all versions up to 2.7.4 due to insufficiently random activation codes. This allows unauthenticated attackers to bypass email veri...
CVE-2023-44399 ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting
ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it...
CVE-2023-44399 ZITADEL's password reset does not respect the "Ignoring unknown usernames" setting
ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it...
Holehe - Tool To Check If The Mail Is Used On Different Sites Like Twitter, Instagram And Will Retrieve Information On Sites With The Forgotten Password Function
Holehe Online Version Summary Efficiently finding registered accounts from emails. Holehe checks if an email is attached to an account on sites like twitter, instagram, imgur and more than 120 others. Retrieves information using the forgotten password function. Does not alert the target email. Ru...
CVE-2023-30544
Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the My profile admin page. This page allowed them to change the email address registered with their account without the ownership verification performed...
GHSA-GRJ4-G57C-9XMV Moodle Bypass email verification secret when confirming account registration
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17...
in erudika/scoold
✍️ Description Bypass rate limit and sent unlimited email to any email address. 💥 Impact Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using thi...
Stripe: Without verifying email and activate account, user can perform all action which are not supposed to be done
A researcher discovered that it was possible to access a subset of livemode dashboard functionality without verifying the account's email address. The livemode functionality in question was disabled in the UI, but could be accessed on the backend. Following this report, Stripe performed an intern...
Chase Bank Phish Swims Past Exchange Email Protections
Threat actors are impersonating Chase Bank in two phishing attacks that can slip past Microsoft Exchange security protections in an aim to steal credentials from victims — by spoofing real-life customer scenarios. Researchers from Armorblox recently discovered the attacks, one of which claims to...
CVE-2021-20282
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17...
UBUNTU-CVE-2021-20282
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17...
CVE-2021-20282
CVE-2021-20282 is a Moodle vulnerability that allows bypassing the email verification step during account creation, enabling account verification without access to the verification email/secret. Connected sources confirm this issue affects multiple Moodle branches prior to versions 3.10.2, 3.9.5,...
PT-2021-13874 · Moodle +1 · Moodle +1
Name of the Vulnerable Software and Affected Versions: moodle versions prior to 3.10.2 moodle versions prior to 3.9.5 moodle versions prior to 3.8.8 moodle versions prior to 3.5.17 Description: When creating a user account, it was possible to verify the account without having access to the...
LY Corporation: Password reset by malicious input on air.line.me
Due to the bug in the account verification process in the password reset function of air.line.me, it was possible to change other's passwords if a temporary password reset key was set to a space...