Lucene search
+L

17 matches found

Nuclei
Nuclei
added 8 hours ago6 views

phpBB < 3.3.17 - Authentication Bypass

phpBB before 3.3.17 contains an authentication bypass vulnerability in the login-link feature. By setting the authprovider query parameter to "apache", an unauthenticated attacker can bypass password verification and log in as any user, including administrators. The Apache auth provider trusts th...

9.8CVSS8.4AI score0.02865EPSS
Exploits2References2
CVE
CVE
added 2 days ago10 views

CVE-2026-53517

CVE-2026-53517 affects Better Auth’s oauth-provider (and related memory adapter) prior to version 1.6.11. The POST /oauth2/token refresh_token flow performs a non-atomic read–validate–revoke–mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh toke...

8.1CVSS6.1AI score0.00413EPSS
Exploits0References3
Snyk
Snyk
added 2026/07/07 8:56 p.m.5 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview @better-auth/oauth-provider is an An oauth provider plugin for Better Auth Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through a race condition in the authorizationcode grant handler. An attacker can obtain multiple valid access,...

7.6CVSS6.2AI score0.00496EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/07/07 8:56 p.m.5 views

NPM: @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive

NPM: @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive vulnerability discovered by ? in WordPress Npm better-auth versions 1.6.11...

7.6CVSS6AI score0.00496EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/07/04 5:52 p.m.24 views

CVE-2026-12746

CVE-2026-12746 affects Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 (Perl). The underlying issue is that the OAuth 2.0 state parameter is not supported, causing the authentication_url to redirect without a state value and the callback to process the response without binding it to t...

8.1CVSS5.9AI score0.00186EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/05 3:33 p.m.10 views

Malicious Package

Overview internal-auth-provider is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.5 views

CVE-2026-33042

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/24 6:11 p.m.23 views

CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowin...

7CVSS0.00455EPSS
Exploits0References5
OSV
OSV
added 2026/03/24 6:11 p.m.18 views

CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowin...

7CVSS5.8AI score0.00455EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.11 views

PT-2026-25757

Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...

3.5CVSS5.8AI score0.00148EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2025/11/21 12:0 a.m.13 views

PT-2025-47813

Name of the Vulnerable Software and Affected Versions Langfuse versions 2.95.0 through 2.95.11 Langfuse versions 3.17.0 through 3.130.0 Description Langfuse is a large language model engineering platform. In Single Sign-On SSO provider configurations lacking an explicit AUTH CHECK setting, a...

6.5CVSS6.3AI score0.00136EPSS
Exploits0References6
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/04/02 5:11 a.m.6 views

Malicious code in @nationalgeographicsociety/ngsui-header-auth-provider-next (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d38527cfd7590fab454ac20f3be069dae42b211700523eb5a58dfd421014d9be Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.9AI score
Exploits0References3
Veracode
Veracode
added 2023/06/13 3:51 a.m.30 views

Cross-site Scripting (XSS)

github.com/rancher/rancher is vulnerable to Cross-site Scripting XSS. The vulnerability exists in the Projects/Namespaces and Auth Provider sections, which allows an attacker with write access to inject and execute malicious code and steal sensitive information, manipulate web content, or perform...

8.4CVSS6.7AI score0.00714EPSS
Exploits0References8Affected Software1
NVD
NVD
added 2019/11/18 4:15 p.m.27 views

CVE-2018-13257

The bb-auth-provider-cas authentication module within Blackboard Learn 2018-07-02 is susceptible to HTTP host header spoofing during Central Authentication Service CAS service ticket validation, enabling a phishing attack from the CAS server login page...

6.1CVSS6.4AI score0.0121EPSS
Exploits1References1
Prion
Prion
added 2019/11/18 4:15 p.m.25 views

Design/Logic Flaw

The bb-auth-provider-cas authentication module within Blackboard Learn 2018-07-02 is susceptible to HTTP host header spoofing during Central Authentication Service CAS service ticket validation, enabling a phishing attack from the CAS server login page...

5.8CVSS6.3AI score0.0121EPSS
Exploits1References1Affected Software1
Fedora
Fedora
added 2009/02/12 8:38 p.m.17 views

[SECURITY] Fedora 10 Update: python-fedora-0.3.9-1.fc10

Python modules that help with building Fedora Services. This includes a JS ON based auth provider for authenticating against FAS2 over the network and a client that handles communication with the servers. The client module can be used to build programs that communicate with Fedora Infrastructure'...

3.6AI score
Exploits0
Fedora
Fedora
added 2009/02/12 8:37 p.m.17 views

[SECURITY] Fedora 9 Update: python-fedora-0.3.9-1.fc9

Python modules that help with building Fedora Services. This includes a JS ON based auth provider for authenticating against FAS2 over the network and a client that handles communication with the servers. The client module can be used to build programs that communicate with Fedora Infrastructure'...

3.6AI score
Exploits0
Rows per page
Query Builder