8 matches found
CVE-2026-29067
ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password rese...
Automattic: No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal
Summary: Hi team, When you have a team account, you can invite users to your team from https://app.crowdsignal.com/users/list-users.php If you invite a user, you will see this : F893386 As you can see, there is confirmation link and we can see it from our dashboard. And if you invite existing ema...
Nord Security: Unauthorized User Can Delete Any User Account
DESCRIPTION: Your help desk allows creating tickets by email. Which means the user can send an email to the NordVPN support email to a add a new ticket to his activities. So when you send an email to [email protected] from your email address, this ticket will be created on the account that you...
Weblate: Account Restore / Reactivating an old email via old reset link
Hi, I noticed you now send a confirmation link after loading the reset link, below is a screenshot showing the email and highlighting the error. F227060 Best Regards, @footstep...
Insecure Login Defaults
github.com/go-authboss/authboss is vulnerable to insecure login. The library successfully logs in when a confirmation link is clicked. This means a malicious user can log in if they obtain a confirmation or password reset link...
Trello: Email authentication token fails to expire and can be used multiple times for same Email address on Trello.com
Hi there Trello Security Team , I have noticed a certain behaviour at https://trello.com . What I belief to be a bug . Summery: --------------------- You can authenticate an email added on your account with same authentication token multiple times . You remove it , add it again use the same token...
Dropbox: Can make any number of dropbox accounts with one email
Hi there ,I have found a very critical systematic issue that enable a user to create any number of account with one email . It can be resolved by sending a conformation link to the email of the registerer. IF one user has 1 Gigabytes storage he can make any number of gigabytes as he need and this...
HackerOne: CSRF login
1 Attacker creates a fake account and changes e-mail 2 The e-mail confirmation link can now be used to CSRF login someone into the fake account, then monitor actions performed by the victim or even interact with him...