3 matches found
GHSA-QRM9-F75W-HG4C Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`
Impact Applications which have been bootstrapped by the new igniter installer since AshAuthentication v4.1.0 and who have used the magic link strategy, password resets, confirmation, or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not us...
PT-2025-6376 · Unknown · Ashauthentication
Name of the Vulnerable Software and Affected Versions: AshAuthentication versions 4.1.0 through 4.4.8 Description: The issue affects applications that have been bootstrapped by the new igniter installer since AshAuthentication v4.1.0 and have used the magic link strategy or are manually revoking...
GSA Bounty: 2FA bypass - confirmation tokens don't expire
Hi there, Because of the limitation of the site, accounts may be locked down for 10 minutes. I found 2 ways to bypass this lock period. First one with the confirmation mail that we get when we sign on. If we get the token this way below, we can change account password and bypass the lock period a...