Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in JWT validation middleware. An attacker can maintain unauthorized access to user accounts by reusing previously issued JSON Web Tokens even after a password change, as the tokens are not invalidated or...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of JWT authentication middleware and RBAC authorization checks in the routing configuration for /api/v1/jobs endpoint. An attacker can view, update, and delete jobs by sending...

EUVD-2013-1012

Malware in sbrugna...

EUVD-2024-0511

Malicious code in bioql PyPI...

EUVD-2021-30713

Malicious code in bioql PyPI...

EUVD-2022-6649

Malicious code in bioql PyPI...

Pekko Management may not properly apply authenticator when Basic Authentication is enabled

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes...

CVE-2024-39912

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found...

CVE-2023-24810

Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during miauth authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 including 12.x are affected. This has been fixed ...

CVE-2025-24894

CVE-2025-24894 concerns SPID.AspNetCore.Authentication (AspNetCore Remote Authenticator for SPID). The vulnerability arises from insufficient validation of SAML response signatures in VerifySignature(), which may allow an attacker to impersonate any SPID/CIE user by injecting a valid signature in...

CVE-2024-28194

yourspotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions 1.8.0 use a hardcoded JSON Web Token JWT secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows...

CVE-2024-52586

CVE-2024-52586 affects eLabFTW versions 4.6.0 to 5.1.0, where an attacker capable of local authentication can bypass the built‑in MFA and log in regardless of MFA requirements. The issue is documented across multiple sources (Red Hat, CVE list, PT-Security, OSV, NVD, CNVD) with the fixed version ...

CVE-2024-32474 Sentry's superuser cleartext password leaked in logs

Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the event: auth-index.validatesuperuser. An attacker with access to the log data could use...

PT-2023-30917 · Warpgate · Warpgate

Name of the Vulnerable Software and Affected Versions: Warpgate versions prior to 0.9.0 Description: Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. In affected versions, there is a privilege escalation issue through a non-admin user's account. Limited users can impersonat...

CVE-2023-25573 Improper access control to download file in metersphere

metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in /api/jmeter/download/files, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This...

Debian: Security Advisory (DSA-5298-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2022-39299 Signature bypass via multiple root elements in Passport-SAML

Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML elemen...

CVE-2022-31068 Sensitive Data Exposure on Refused Inventory Files in GLPI

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated...

ProjeQtOr Project Management 9.1.4 - Remote Code Execution

Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution Date: 29.05.2021 Exploit Author: Temel Demir Vendor Homepage: https://www.projeqtor.org Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV9.1.4.zip Version: v9.1.4 Tested on: Laragon @WIN10...

PT-2020-5804 · Samba +5 · Samba +5

Name of the Vulnerable Software and Affected Versions: Samba versions 4.9.x through 4.9.17 Samba versions 4.10.x through 4.10.11 Samba versions 4.11.x through 4.11.4 Description: The issue is related to an error when the log level is set to 3 or above, causing a string obtained from the client to...