22 matches found
CVE-2026-34361
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith...
CVE-2026-22694 AliasVault is Missing Origin Validation in Android Passkey Credential Provider
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response fo...
CVE-2026-22694
Summary (CVE-2026-22694) : AliasVault for Android (versions 0.24.0–0.25.2) contained an incomplete validation flaw in the Android credential provider for passkey requests. Under certain local conditions, a malicious app could obtain a passkey response for a site it was not authorized to access be...
CVE-2026-22694 AliasVault is Missing Origin Validation in Android Passkey Credential Provider
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response fo...
CVE-2026-22694
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response fo...
EUVD-2020-29111
Malware in sbrugna...
CVE-2020-8240
A vulnerability in the Pulse Secure Desktop Client 9.1R9 allows a restricted user on an endpoint machine can use system-level privileges if the Embedded Browser is configured with Credential Provider. This vulnerability only affects Windows PDC if the Embedded Browser is configured with the...
MAL-2024-9573 Malicious code in credential-provider-http (npm)
--- -= Per source details. Do not edit below this line.=-...
Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks
A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be potentially leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks. "Starting from a single compromised machine, threat actors could...
GHSA-G74W-93CP-5P3P Insufficiently Protected Credentials in Jenkins Pipeline SCM API for Blue Ocean Plugin
When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provid...
CVE-2021-31796
CVE-2021-31796 affects CyberArk Credential Provider before v12.1, where an inadequate encryption scheme (AES-256-CBC with a custom key-derivation using environmental fields) can shrink the effective key space to as little as 2^36 in realistic scenarios, enabling potential information disclosure f...
CVE-2021-31797
The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure...
Race condition
The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure...
CVE-2021-31798
The CVE-2021-31798 vulnerability affects CyberArk Credential Provider prior to version 12.1, where the local encryption key space for the cached data has insufficient entropy. The cache files (configuration_cache.dat and related) are encrypted with AES-CBC and a 256-bit key, but the key derivatio...
CyberArk Credential Provider Race Condition / Authorization Bypass
KL-001-2021-009: CyberArk Credential Provider Race Condition And Authorization Bypass Title: CyberArk Credential Provider Race Condition And Authorization Bypass Advisory ID: KL-001-2021-009 Publication Date: 2021.09.01 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-009.t...
CyberArk Credential Provider Local Cache Can Be Decrypted
Vulnerability Details Affected Vendor: CyberArk Affected Product: Application Access Manager/Credential Provider Affected Version: Prior to 12.1 Platform: Linux/Windows/zOS CWE Classification: CWE-326: Inadequate Encryption Strength CVE ID: CVE-2021-31798 2. Vulnerability Description CyberArk...
CyberArk Credential Provider Race Condition And Authorization Bypass
Vulnerability Details Affected Vendor: CyberArk Affected Product: Application Access Manager/Credential Provider Affected Version: Prior to 12.1 Platform: Linux/Windows/zOS CWE Classification: CWE-326: Inadequate Encryption Strength, CWE-362: Concurrent Execution using Shared Resource with...
Pulse Secure Desktop Client < 9.1R9 Multiple Vulnerabilities (SA44601)
The Pulse Secure Desktop Client installed on the remote Windows system is prior to 9.1R9. It is, therefore, affected by multiple vulnerabilities, including the following: - A vulnerability in the Pulse Secure Desktop Client 9.1R9 could allow the attacker to perform a MITM Attack if end users are...
CVE-2020-8240
A vulnerability in the Pulse Secure Desktop Client 9.1R9 allows a restricted user on an endpoint machine can use system-level privileges if the Embedded Browser is configured with Credential Provider. This vulnerability only affects Windows PDC if the Embedded Browser is configured with the...
CVE-2020-8240
A vulnerability in the Pulse Secure Desktop Client 9.1R9 allows a restricted user on an endpoint machine can use system-level privileges if the Embedded Browser is configured with Credential Provider. This vulnerability only affects Windows PDC if the Embedded Browser is configured with the...