Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy

Summary The NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. Details In packages/core/src/config/auth/native-authentication-strategy.ts, the authenticate method returns immediately if a user is no...

File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login

Summary The JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. Details The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username ...

ROS-20240806-13

Vulnerability in the implementation of the bcrypt hashing algorithm of the Prometheus system file export library Exporter Toolkit is related to authentication bypass during web.yml file processing. Exploitation of the vulnerability could allow an attacker to bypass security restrictions and gain...

CVE-2017-7252

bcrypt password hashing in Botan before 2.1.0 does not correctly handle passwords with a length between 57 and 72 characters, which makes it easier for attackers to determine the cleartext password...

XKCD Forum Hacked – Over 562,000 Users' Account Details Leaked

XKCD—one of the most popular webcomic platforms known for its geeky tech humor and other science-laden comic strips on romance, sarcasm, math, and language—has suffered a data breach exposing data of its forum users. The security breach occurred two months ago, according to security researcher Tr...

DailyMotion Hack Leaks Emails, Passwords of 87M Users

DailyMotion, a popular video sharing website, said Tuesday it recently suffered an “external security problem” resulting in the compromise of an unspecified number of its users’ data. LeakedSource.com, a repository of breached data, added DailyMotion to its list of “Hacked Sites” on Monday. The...