Lucene search
K

5 matches found

OSV
OSV
added 2026/06/05 4:3 p.m.9 views

GHSA-JR54-JWHJ-55GP NocoDB: User Enumeration via Sign-In Timing

Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. Details The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response ti...

6.3CVSS5.5AI score0.00197EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/05 4:3 p.m.14 views

NocoDB: User Enumeration via Sign-In Timing

Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. Details The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response ti...

6.3CVSS5.5AI score0.00197EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/08 12:7 a.m.6 views

GHSA-MMPQ-5HCV-HF2V Parse Server has a login timing side-channel reveals user existence

Impact The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant...

6.3CVSS5.8AI score0.0023EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/08 12:7 a.m.6 views

Parse Server has a login timing side-channel reveals user existence

Impact The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant...

6.3CVSS5.9AI score0.0023EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/01/30 7:35 p.m.4 views

GHSA-6F65-4FV2-WWCH Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy

Summary The NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. Details In packages/core/src/config/auth/native-authentication-strategy.ts, the authenticate method returns immediately if a user is no...

6.9CVSS5.9AI score0.00364EPSS
Exploits1References5
Rows per page
Query Builder