16 matches found
CVE-2026-25050
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. In packages/core/src/config/auth/native-authentication-strategy.t...
GHSA-6F65-4FV2-WWCH Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
Summary The NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. Details In packages/core/src/config/auth/native-authentication-strategy.ts, the authenticate method returns immediately if a user is no...
CVE-2026-25050
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. In packages/core/src/config/auth/native-authentication-strategy.t...
CVE-2026-25050 Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. In packages/core/src/config/auth/native-authentication-strategy.t...
EUVD-2026-5025
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. In packages/core/src/config/auth/native-authentication-strategy.t...
CVE-2026-25050
Vendure CVE-2026-25050 describes a timing-attack vulnerability in the NativeAuthenticationStrategy.authenticate() method. Before version 3.5.3, authentication returns immediately when a user is not found, while a real user triggers bcrypt password verification, creating a measurable timing differ...
EUVD-2025-3740
Malicious code in bioql PyPI...
EUVD-2024-37371
Malicious code in bioql PyPI...
CVE-2025-24506
A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types...
CVE-2025-24506
A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types...
CVE-2025-24506
Broadcom Symantec Privileged Access Management (PAM) is cited as affected by CVE-2025-24506. The connected PT-2025-5378 entry states: a specific authentication strategy allows learning the IDs of PAM users associated with certain authentication types, but it does not specify affected versions and...
CVE-2025-24506
A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types...
CVE-2025-24506
A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types...
CVE-2024-38495
A specific authentication strategy allows a malicious attacker to learn ids of all PAM users defined in its database...
CVE-2024-38495 Symantec Privileged Access Manager User Enumeration vulnerability
A specific authentication strategy allows a malicious attacker to learn ids of all PAM users defined in its database...
UBUNTU-CVE-2017-8028
In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting...