Improper Authentication in Apereo CAS

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

Fortinet FortiMail 安全特征问题漏洞

Fortinet FortiMail is a set of e-mail security gateway products of the U.S. Fita Fortinet. The product provides email security and data protection features. A security signature vulnerability exists in Fortinet FortiMail, which stems from the use of a weak pseudo-random number generator in the...

SMS authentication code includes ad: a very bad idea

SMS authentication codes are back in the news, and the word Id use to summarise their reappearance is "embattled." I can still remember a time where two-factor authentication 2FA, authentication grids, regional lockouts, Yubikeys, and offline authentication apps simply did not exist. And if they...

New API Lets App Developers Authenticate Users via SIM Cards

Online account creation poses a challenge for engineers and system architects: if you put up too many barriers, you risk turning away genuine users. Make it too easy, and you risk fraud or fake accounts. The Problem with Identity Verification The traditional model of online identity –...

Using Fake Reviews to Find Dangerous Extensions

Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams...

GHSA-5PV8-PPVJ-4H68 Prevent user enumeration using Guard or the new Authenticator-based Security

Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an...

Prevent user enumeration using Guard or the new Authenticator-based Security

Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an...

CVE-2021-21424 Prevent user enumeration using Guard or the new Authenticator-based Security

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. ...

TeaBot Trojan Targets Banks via Hijacked Android Handsets

Researchers have discovered an Android trojan that can steal victims’ SMS messages and credentials and completely take over devices. The trojan, dubbed TeaBot, is aimed at committing fraud against at least 60 banks in Europe. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS ...

Out-of-Bounds Read

Exim is vulnerable to out of bound read. The vulnerability exists due to the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c...

Security vs User Journey

Something I often think about is how my recommendations for clients to fix small security issues can spoil / complicate their users journey. UX matters I understand that UX is hugely important, even subtle changes can influence whether a journey is completed or abandoned. The difference between...

CSRF Vuln can expose user's QRcode

Impact When a user is setting up two-factor authentication using an authenticator app, a QRcode is generated and made available via a GET request to /tf-qrcode. Since GETs do not have any CSRF protection, it is possible a malicious 3rd party could access the QRcode and therefore gain access to...

HackerOne: Changing the 2FA secret key and backup codes without knowing the 2FA OTP

Summary: After the setup of 2FA, disabling or editing it should require the 2FA OTP. But it can be bypassed. Steps To Reproduce: 1 Sign in to a new HackerOne account. 2 Setup 2FA; and 3 Try to disable it without knowing the OTP. You can't, you need to know the Authentication Code or Backup Code...

matrix-server-isenguard (>=0.1.1 <=0.2.0), matrix-temp-mail-checker (>=0.1.2 <=0.1.5) +6 more potentially affected by CVE-2021-21332 via matrix-synapse (>=0.33.9 <=1.153.0)

matrix-synapse PYPI version =0.33.9, =0.1.1, =0.1.2, =0.100.2, =0.1.0, =0.1.0, =0.8.0, =0.8.4 Source cves: CVE-2021-21332 Source advisory: OSV:PYSEC-2021-133...

matrix-server-isenguard (>=0.1.1 <=0.2.0), matrix-temp-mail-checker (>=0.1.2 <=0.1.5) +6 more potentially affected by CVE-2021-21333 via matrix-synapse (>=0.33.9 <=1.153.0)

matrix-synapse PYPI version =0.33.9, =0.1.1, =0.1.2, =0.100.2, =0.1.0, =0.1.0, =0.8.0, =0.8.4 Source cves: CVE-2021-21333 Source advisory: OSV:GHSA-C5F8-35QR-Q4FM...

Security Advisory YSA-2021-03 | Yubico

A security update for pam-u2f resolves a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence touch or cryptographic signature verification to be bypassed, so an attacker would still need to...

[SECURITY] Fedora 34 Update: wpa_supplicant-2.9-11.fc34

wpasupplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 IEEE 802.11i / RSN. Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.0: Validate email in external authenticator registration form Ensure validation occurs on clone addresses too...

Unauthorized Access Vulnerability in Microsoft Authenticator

Microsoft Authenticator is an application developed by Microsoft related to secure login verification of accounts. An unauthorized access vulnerability exists in Microsoft Authenticator. An attacker could exploit the vulnerability to gain unauthorized access to user information...

matrix-server-isenguard (>=0.1.1 <=0.2.0), matrix-temp-mail-checker (>=0.1.2 <=0.1.5) +5 more potentially affected by CVE-2021-21274 via matrix-synapse (=1.153.0)

matrix-synapse PYPI version =1.153.0 is affected by a known vulnerability. The following packages have a transitive dependency on matrix-synapse and may be impacted: - matrix-server-isenguard =0.1.1, =0.1.2, =0.1.0, =0.1.0, =0.8.0, =0.8.4 Source cves: CVE-2021-21274 Source advisory:...