152 matches found
CVE-2024-1900
Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365. The use...
CVE-2024-1900
This CVE affects Devolutions Server (versions up to 2023.3.14.0) where improper session management in the identity provider authentication flow can allow an authenticated user, validated via an external IdP (e.g., Okta or O365), to remain authenticated after their identity is disabled or deleted....
PT-2024-12262 · Checkmk · Checkmk
Name of the Vulnerable Software and Affected Versions: Checkmk versions prior to 2.2.0p17 Checkmk versions prior to 2.1.0p37 Checkmk versions prior to 2.0.0p39 Description: The issue is related to an insufficient authentication flow, allowing an attacker to utilize locked credentials...
Microsoft Teams used in phishing campaign to bypass multi-factor authentication
Attackers believed to have ties to Russia's Foreign Intelligence Service SVR are using Microsoft Teams chats as credential theft phishing lures. Microsoft Threat Intelligence has posted details about the perceived attacks targeted at fewer than 40 unique global organizations. The targeted...
PT-2023-6515 · Nvidia · Nvidia Omniverse Workstation Launcher
Name of the Vulnerable Software and Affected Versions: NVIDIA Omniverse Workstation Launcher for Windows and Linux affected versions not specified Description: The issue is related to the authentication flow in the NVIDIA Omniverse Workstation Launcher, where a user's access token is visible in t...
PT-2023-26210 · Jenkins · Jenkins Assembla Auth Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Assembla Auth Plugin versions 1.14 and earlier Description: A cross-site request forgery CSRF vulnerability allows attackers to trick users into logging in to the attacker's account. This issue arises because the plugin does not...
Authorization
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...
[NetScaler] LDAP password can be changed with an incorrect Radius Passcode
Below is an example of common 2Factor authentication flow: Root factor: Start Login Schema XML = /nsconfig/loginschema/LoginSchema/DualAuth.xml Adv Authn Policy = LDAPPol Rule = true Action = LDAPAct Next Factor if Success = RadiusFactor Login Schema Profile = LSCHEMAINT Adv Authn Policy =...
CVE-2022-20928
A vulnerability in the authentication and authorization flows for VPN connections in Cisco Adaptive Security Appliance ASA Software and Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to establish a connection as a different user. This vulnerability is due to...
CVE-2022-23724
Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials...
CVE-2022-23723
An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow...
CVE-2022-23723
An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow...
Security feature bypass
An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow...
CVE-2022-23723 PingFederate PingOneMFA Integration Kit MFA Bypass
An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow...
Ping Identity PingFederate授权问题漏洞
Ping Identity PingFederate is a flagship software-based federation server in the United States. for identity management. Ping Identity PingFederate has a security vulnerability that originates from an MFA bypass vulnerability in the PingOne MFA Integration Toolkit when an adapter HTML template is...
PT-2022-16228 · Ping Identity · Pingfederate Pingone Mfa Integration Kit
Name of the Vulnerable Software and Affected Versions: PingFederate PingOne MFA Integration Kit affected versions not specified Description: An MFA bypass issue exists when adapter HTML templates are used as part of an authentication flow. This allows for potential bypass of multi-factor...
Zenly: Account Takeover via SMS Authentication Flow
Summary: During the authentication flow, an SMS is sent to the user in order to validate the session and proceed to the user account. The way Zenly API handles this flow is by: 1. Calling the /SessionCreate endpoint with the mobile phone number of the user. 2. A session for the user is created an...
CVE-2020-4037
CVE-2020-4037 concerns OAuth2 Proxy where versions 5.1.1 and older (up to 5.9.x) allow a user-supplied redirect URL at the end of the authentication flow. The redirect target is validated by the proxy, but the issue arises from insufficiently restricted redirects, potentially enabling open redire...
The vulnerability of the BruteForceProtector component of the Keycloak identity and access management software allows a hacker to gain unauthorized access to protected information.
The software for managing identities and access control in Keycloak is vulnerable due to errors in configuring the “Conditional OTP Authentication Flow”. Exploiting this vulnerability could allow a malicious actor to gain unauthorized access to protected information...
CVE-2020-1744
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events...