184 matches found
EUVD-2019-0664
Malware in sbrugna...
EUVD-2019-0372
Malware in sbrugna...
EUVD-2021-2418
Malware in sbrugna...
EUVD-2022-4629
Malicious code in bioql PyPI...
EUVD-2024-2856
Malicious code in bioql PyPI...
EUVD-2022-1774
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2019-16109
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmationtoken, if a database record...
Linux Distros Unpatched Vulnerability : CVE-2024-8796
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Under the default configuration, Devise-Two-Factor versions = 2.2.0 & = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit...
Linux Distros Unpatched Vulnerability : CVE-2019-5421
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more...
CVE-2021-43177
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N...
CVE-2013-0233
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass...
CVE-2019-16751
An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects...
CVE-2015-8314
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...
Linux Distros Unpatched Vulnerability : CVE-2021-43177
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and...
Ubuntu: Security Advisory (USN-7050-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
USN-7050-1 ruby-devise-two-factor vulnerabilities
Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor incorrectly handled one-time password validation. An attacker could possibly use this issue to intercept and re-use a one-time password. CVE-2021-43177 Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled...
USN-7050-1: Devise-Two-Factor vulnerabilities
Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor incorrectly handled one-time password validation. An attacker could possibly use this issue to intercept and re-use a one-time password. CVE-2021-43177 Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled...
Ubuntu 20.04 LTS / 22.04 LTS : Devise-Two-Factor vulnerabilities (USN-7050-1)
The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7050-1 advisory. Benoit Ct-Jodoin and Michael Nipper discovered that Devise-Two-Factor incorrectly handled one-time password validation. An attacker could...
Insufficient Entropy
devise-two-factor is vulnerable to Insufficient Entropy. The vulnerability is due to the generation of TOTP shared secrets that are only 120 bits, shorter than the 128-bit minimum defined by RFC 4226, allowing an attacker to more easily guess the shared secret and generate valid TOTP codes...
Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
Summary Under the default configuration, Devise-Two-Factor versions 1.0.0 or = 4.0.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make ...