Malicious code in sap-authenticate (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 4011b4682df361885068a85fb964ef88af5e0fd77d05306416b10e10c5cb9b6e The OpenSSF Package Analysis project identified 'sap-authenticate' @ 0.0.0 npm as malicious. It is considered malicious because: - The package...

MAL-2024-7643 Malicious code in sap-authenticate (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 4011b4682df361885068a85fb964ef88af5e0fd77d05306416b10e10c5cb9b6e The OpenSSF Package Analysis project identified 'sap-authenticate' @ 0.0.0 npm as malicious. It is considered malicious because: - The package...

GHSA-X7Q2-WR7G-XQMF Django vulnerable to user enumeration attack

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password...

CVE-2024-24554

Bludit (CMS) is affected by CVE-2024-24554 due to using predictable methods with MD5 to generate sensitive tokens (API token, user token). The underlying issue is token generation, enabling authentication against the Bludit API. Documents do not provide concrete fixes or affected versions; at lea...

PT-2024-6224

Name of the Vulnerable Software and Affected Versions: Django versions 4.2 through 4.2.13 Django versions 5.0 through 5.0.6 Description: The issue allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. This is due to the...

CVE-2024-5203

CVE-2024-5203 is described in IBM’s bulletin as a cross-site request forgery in Keycloak used by IBM i Modernization Engine for Lifecycle Integration. It allows a remote authenticated attacker to exploit improper input validation to send a crafted request to /login-actions/authenticate, potential...

PT-2024-37226 · Quay · Quay

Name of the Vulnerable Software and Affected Versions: Quay affected versions not specified Description: A vulnerability was found in Quay, where an attacker can use an OAuth token to authenticate despite not having access to the organization from which the application was created, if they obtain...

RHEL 6 : tomcat (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - tomcat: Information Disclosure when using VirtualDirContext CVE-2017-12616 - Apache Tomcat 5.5.0 through...

GHSA-5R8W-66HQ-RC39 silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled

If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users...

silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled

If remember me is on and users log in with the box checked, if the developer then disabled "remember me" function, any pre-existing cookies will continue to authenticate users...

VulnCheck KEV: CVE-2024-4351

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with...

PT-2024-30595 · WordPress · Tutor Lms Pro

Name of the Vulnerable Software and Affected Versions: Tutor LMS Pro plugin for WordPress versions up to, and including, 2.7.0 Description: The issue allows for unauthorized access, modification, and loss of data due to a missing capability check on the authenticate function. This enables...

PT-2024-21066 · Delinea · Delinea Pam Secret Server

Name of the Vulnerable Software and Affected Versions: Delinea PAM Secret Server version 11.4 Distributed Engine version 8.4.3 Description: The issue allows a PAM administrator to obtain the Symmetric Key used to encrypt RabbitMQ messages via crafted payloads to the "/pre-authenticate",...

Badge Launches Partner Program for ‘Enroll Once and Authenticate Any Device’ Software

By cyberwire Badge Launches Partner Program to Expand Availability of its Privacy-Enhancing “Enroll Once and Authenticate on Any Device” Software. This is a post from HackRead.com Read the original post: Badge Launches Partner Program for Enroll Once and Authenticate Any Device Software...

@nfid/embed has compromised private key due to @dfinity/auth-client producing insecure session keys

Problem User sessions in the @nfid/embed SDK with Ed25519 keys are vulnerable due to a compromised private key 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe. This exposes users to potential loss of funds on ledgers and unauthorized access to canisters they control. Solution Usin...

Hardcoded credentials

The vulnerability allows a remote attacker to authenticate to the web application with high privileges through multiple hidden hard-coded accounts...

CVE-2023-31579

Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token...

Cisco BroadWorks Privilege Escalation Vulnerability

A vulnerability in Cisco BroadWorks could allow an authenticated, local attacker to elevate privileges to the root user on an affected device. The vulnerability is due to insufficient input validation by the operating system CLI. An attacker could exploit this vulnerability by issuing a crafted...

CVE-2023-36610

​The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successful...

CVE-2023-34409

In Percona Monitoring and Management PMM server 2.x before 2.37.1, the authenticate function in authserver.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticat...