CVE-2022-42461 WordPress miniOrange's Google Authenticator plugin <= 5.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability in miniOrange's Google Authenticator plugin = 5.6.1 on WordPress...

CVE-2022-42461

CVE-2022-42461 concerns a Broken Access Control issue in miniOrange’s Google Authenticator plugin for WordPress, affected versions ≤ 5.6.1. The vulnerability is described across multiple sources as an access-control flaw in the plugin’s settings/authorization flow, with no publicly documented exp...

WordPress plugin Google Authenticator 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. The platform supports the hosting of personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. WordPress...

Failures in Twitter’s Two-Factor Authentication System

Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the...

XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider

Impact Even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider by providing its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the...

GHSA-M7GV-V8XX-V47W XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider

Impact Even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider by providing its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the...

CVE-2022-39387 XWiki OIDC Authenticator vulnerable to OpenID login bypass due to improper authentication

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWi...

WordPress miniOrange's Google Authenticator plugin <= 5.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to Plugin Settings Change discovered by Lana Codes Patchstack Alliance in WordPress miniOrange's Google Authenticator plugin versions = 5.6.1. Solution Update the WordPress miniOrange's Google Authenticator plugin to the latest available version at leas...

miniOrange's Google Authenticator < 5.6.2 - Subscriber+ Settings Update

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...

PT-2022-23368 · Osu Open Source · Vncauthproxy

Name of the Vulnerable Software and Affected Versions: OSU Open Source Lab VNCAuthProxy versions 1.1.1 and earlier Description: The issue is an authentication-bypass vulnerability in the VNCServerAuthenticator, located in vncap/vnc/protocol.py, which could allow a malicious actor to gain...

Okta Jira Authenticator < 3.1.5 Cross-Site Scripting

Okta Jira Authenticator toolkit versions below 3.1.5 suffer from a reflected Cross-Site Scripting XSS vulnerability. By injecting a specific payload in the osusername GET parameter, a remote unauthenticated attacker can execute arbitrary JavaScript code in the browser context of the target...

Design/Logic Flaw

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity...

CVE-2020-35509

CVE-2020-35509 affects Keycloak (notably versions 11.0.3 and 12.0.0). A flaw in the direct-grant authenticator allows acceptance of expired certificates due to missing timestamp validation, impacting confidentiality and integrity. The issue is cited across multiple sources (e.g., GHSA) with remed...

$6 million heist targets video game skin trading site

An incredibly popular digital item trading site has suffered a spectacular loss at the hands of wily attackers. According to Bleeping Computer, CS Money lost out on $6 million via just 20,000 pilfered items. How did this happen, and why are digital items so popular in the first place? The digitiz...

The vulnerability of the SAP Authenticator mobile application for Android, related to information disclosure, allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the SAP Authenticator mobile application for Android relates to the disclosure of information. Exploiting this vulnerability could allow an attacker, operating remotely, to gain unauthorized access to protected information...

2FA Bypass in Cockpit Content Platform ≤ v2.2.1

Description 2FA secret is disclosed in JWT token after user logs into his account in Cockpit Content Platform ≤ v2.2.1 allowing attacker to bypass the 2FA code. Proof of Concept 1.Login with your admin account and enable 2FA in your account and logout. 2.Go to...

CVE-2022-35290

Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted...

CVE-2022-35290

Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted...

CVE-2022-35290

Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted...

Authentication flaw

Under certain conditions SAP Authenticator for Android allows an attacker to access information which would otherwise be restricted...