355 matches found
Timing Attack
github.com/ginuerzh/gost is vulnerable to Timing Attacks. The vulnerability exists because the Authenticate function of auth.go does not properly compare sensitive secrets such as passwords, tokens and API keys using constant-time comparison, which allows an attacker to guess a secret by observin...
GHSA-JJM5-5V9V-7HX2 org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
Impact It was possible to inject some code using the URL of authenticate endpoints, e.g.: https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alertorigin%22/resetpassword This vulnerability was present in recent versions of XWiki: - 13.10.8+ - 14.4.3+ - 14.6+ Patches This problem has been...
node-fetch: exposure of sensitive information to an unauthorized actor
A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized...
Intel® Authenticate Advisory
Summary: A potential security vulnerability in Intel® Authenticate may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2019-11143 Description: Improper permissions in the software installer for IntelR...
K87235248: ImageMagick vulnerability CVE-2020-29599
Security Advisory Description ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject...
SUSE CVE-2015-8833
Use-after-free vulnerability in the createsmpdialog function in gtk-dialog.c in the Off-the-Record Messaging OTR pidgin-otr plugin before 4.0.2 for Pidgin allows remote attackers to execute arbitrary code via vectors related to the "Authenticate buddy" menu item...
SUSE CVE-2016-7143
The mauthenticate function in modules/msasl.c in Charybdis before 3.5.3 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE parameter...
SUSE CVE-2019-20933
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret aka shared secret...
SUSE CVE-2020-11087
In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlmreadAuthenticateMessage. This has been fixed in 2.1.0...
SUSE CVE-2021-21240
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service CPU burn while parsing header of the httplib2 client accessing said...
SUSE CVE-2021-22904
The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses authenticateorrequestwithhttptoken or...
node-fetch: exposure of sensitive information to an unauthorized actor
A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized...
CVE-2013-10013
A vulnerability was found in Bricco Authenticator Plugin. It has been declared as critical. This vulnerability affects the function authenticate/compare of the file src/java/talentum/escenic/plugins/authenticator/authenticators/DBAuthenticator.java. The manipulation leads to sql injection...
PT-2023-10002 · Unknown · Bricco Authenticator Plugin
Name of the Vulnerable Software and Affected Versions: Bricco Authenticator Plugin versions prior to 1.39 Description: A critical issue was found in the Bricco Authenticator Plugin, affecting the authenticate/compare function of the DBAuthenticator.java file. This issue leads to sql injection...
node-fetch: exposure of sensitive information to an unauthorized actor
A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized...
ecnepsnai web 代码问题漏洞
Web is a Golang HTTP server by Ian Spence, a personal developer. It is used for complex web applications. A security vulnerability exists in ecnepsnai web, which stems from Web Sockets not executing any AuthenticateMethod method that may be set to cause the nil pointer to be dereferenced if the...
CVE-2022-2888
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists...
SuiteCRM authenticated SQL injection in export functionality
This module exploits an authenticated SQL injection in SuiteCRM in versions before 7.12.6. The vulnerability allows an authenticated attacker to send specially crafted requests to the export entry point of the application in order to retrieve all the usernames and their associated password from t...
CVE-2022-36780 Avdor CIS - crystal quality Credentials Management Errors
Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system:...
PT-2022-20465 · Indy Node · Indy Node
Name of the Vulnerable Software and Affected Versions: Indy Node versions 1.12.4 and prior Description: The issue affects the server portion of a distributed ledger purpose-built for decentralized identity. In the affected versions, the pool-upgrade request handler in Indy-Node allows an improper...