node-fetch: exposure of sensitive information to an unauthorized actor

A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized...

CVE-2013-10013

A vulnerability was found in Bricco Authenticator Plugin. It has been declared as critical. This vulnerability affects the function authenticate/compare of the file src/java/talentum/escenic/plugins/authenticator/authenticators/DBAuthenticator.java. The manipulation leads to sql injection...

PT-2023-10002 · Unknown · Bricco Authenticator Plugin

Name of the Vulnerable Software and Affected Versions: Bricco Authenticator Plugin versions prior to 1.39 Description: A critical issue was found in the Bricco Authenticator Plugin, affecting the authenticate/compare function of the DBAuthenticator.java file. This issue leads to sql injection...

node-fetch: exposure of sensitive information to an unauthorized actor

A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as "Authorization," "WWW-Authenticate," and "Cookie" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized...

ecnepsnai web 代码问题漏洞

Web is a Golang HTTP server by Ian Spence, a personal developer. It is used for complex web applications. A security vulnerability exists in ecnepsnai web, which stems from Web Sockets not executing any AuthenticateMethod method that may be set to cause the nil pointer to be dereferenced if the...

CVE-2022-2888

If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists...

SuiteCRM authenticated SQL injection in export functionality

This module exploits an authenticated SQL injection in SuiteCRM in versions before 7.12.6. The vulnerability allows an authenticated attacker to send specially crafted requests to the export entry point of the application in order to retrieve all the usernames and their associated password from t...

CVE-2022-36780 Avdor CIS - crystal quality Credentials Management Errors

Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system:...

PT-2022-20465 · Indy Node · Indy Node

Name of the Vulnerable Software and Affected Versions: Indy Node versions 1.12.4 and prior Description: The issue affects the server portion of a distributed ledger purpose-built for decentralized identity. In the affected versions, the pool-upgrade request handler in Indy-Node allows an improper...

MAL-2022-3827 Malicious code in ing-lib-authenticate (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8c3ac7548488153407ae012be79d50d5f991924e33fbf536557d10c353be61af Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Inductive Automation Ignition 访问控制错误漏洞

Inductive Automation Ignition is a suite of integrated software platforms for SCADA systems from Inductive Automation, Inc. The platform supports SCADA Data Acquisition and Monitoring Systems, HMI Human Machine Interface, and more. Inductive Automation Ignition suffers from an Access Control Erro...

CVE-2022-2306

Old session tokens can be used to authenticate to the application and send authenticated requests...

CVE-2022-2306 Insufficient Session Expiration in heroiclabs/nakama

Old session tokens can be used to authenticate to the application and send authenticated requests...

CVE-2022-31057

Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue...

OpenStack Swift Cross-site Scriping vulnerability

Cross-site scripting XSS vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header...

GHSA-66VJ-393F-HXFV OpenStack Swift Cross-site Scriping vulnerability

Cross-site scripting XSS vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header...

CVE-2022-29167

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP...

Cross site request forgery (csrf)

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP...

FreeTAKServer-UI SQL注入漏洞

FreeTAKServer-UI is an open source FTS web interface from the FreeTAKTeam team.FreeTAKServer-UI is vulnerable to SQL injection, which stems from the API endpoint/AuthenticateUser containing SQL injection into the SQLite3 database, which can be exploited by an attacker to obtain the database All...

IBM Security Verify Access Unauthorized Access Vulnerability

IBM Security Verify Access ISAM is a service from IBM USA that improves user access security. IBM Security Verify Access versions 10.0.0.0, 10.0.1.0 and 10.0.2.0 have a security vulnerability that could be exploited by an attacker to authenticate as any user on the system authenticate as any user...