72 matches found
PT-2026-23512
Name of the Vulnerable Software and Affected Versions @perfood/couch-auth version 0.26.0 Description A timing discrepancy exists in @perfood/couch-auth version 0.26.0 that could allow attackers to access sensitive information through a timing side-channel. Recommendations At the moment, there is ...
CVE-2025-70948
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header...
CVE-2025-70949
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel...
CVE-2025-70948
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header...
CVE-2025-70949
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel...
CVE-2025-70948
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header...
PT-2026-23511
Name of the Vulnerable Software and Affected Versions @perfood/couch-auth version 0.26.0 Description A host header injection flaw exists in the mailer component. This allows attackers to obtain reset tokens and potentially take over accounts by manipulating the HTTP Host header. The affected...
CVE-2025-70949
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel...
CVE-2025-70949
Summary: CVE-2025-70949 affects @perfood/couch-auth v0.26.0. The vulnerability is an observable timing discrepancy that creates a timing side-channel, potentially allowing an attacker to access sensitive information during authentication. The available documents do not disclose a fixed version; r...
CVE-2025-70948
Summary: CVE-2025-70948 is a host header injection in the mailer component of @perfood/couch-auth v0.26.0, leading to reset-token exposure and possible account takeover via Host header spoofing. Multiple sources (Red Hat, NVD, EUVD, OSV, GHSA, Snyk, and others) corroborate the same vulnerability ...
CVE-2025-15005
A security flaw has been discovered in CouchCMS up to 2.4. Affected is an unknown function of the file couch/config.example.php of the component reCAPTCHA Handler. The manipulation of the argument KRECAPTCHASITEKEY/KRECAPTCHASECRETKEY results in use of hard-coded cryptographic key . It is possibl...
CVE-2025-15005 CouchCMS reCAPTCHA config.example.php hard-coded key
A security flaw has been discovered in CouchCMS up to 2.4. Affected is an unknown function of the file couch/config.example.php of the component reCAPTCHA Handler. The manipulation of the argument KRECAPTCHASITEKEY/KRECAPTCHASECRETKEY results in use of hard-coded cryptographic key . It is possibl...
CVE-2025-60794
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access...
GHSA-62VX-HPCR-M9CH @perfood/couch-auth may expose session tokens, passwords
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access...
EUVD-2025-198271
@perfood/couch-auth may expose session tokens, passwords...
@perfood/couch-auth may expose session tokens, passwords
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access...
CVE-2025-60794
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access...
PT-2025-47578
Name of the Vulnerable Software and Affected Versions couch-auth version 0.21.2 Description Session tokens and passwords are stored in JavaScript objects within the software and are not explicitly cleared from memory. This occurs in src/user.ts lines 700-707, creating a potential for sensitive da...
CVE-2025-60794
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access...
CVE-2025-60794
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access...