CVE-2024-29033 GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace

OAuthenticator provides plugins for JupyterHub to use common OAuth providers, as well as base classes for writing one's own Authenticators with any OAuth 2.0 provider. GoogleOAuthenticator.hosteddomain is used to restrict what Google accounts can be authorized access to a JupyterHub. The...

BIT-MASTODON-2022-31263

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions...

Restrict Usernames Emails Characters Plugin < 3.1.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Access the "Restrict Usernames Emails Characters" settings 2. For the field "The name of...

Flickr: Flickr Account Takeover using AWS Cognito API

Flickr uses Amazon Cognito to implement its login functionality. Furthermore, Flickr does not allow users to change their registered e-mail address via the user interface. This restriction can be bypassed via direct communication with the Amazon Cognito User Pool API. Consider we have the followi...

GitLab Domain Restriction Bypass Vulnerability

GitLab is a Ruby on Rails-developed, self-hosted, Git version control system project repository application from the American company GitLab. The program can be used to access a project's file contents, commit history, bug lists, and more. A security vulnerability exists in GitLab version 12.8.x...

Visma Bug Bounty Program: A non-administrator user can change his email even when it is restricted by an administrator

A non-administrator user can change his email, even when it is restricted by an administrator, by tampering with the response data. Steps to Reproduce Login as a normal user and goto "My details" tab in Profile. Click on Edit icon in Account section. If this functionality is locked by your...

WakaTime: Running 2 accounts with a single email

Hi, While testing, I found a logic flaw which made me to make two accounts with a single email Reproduction Steps 1-Create one account with [email protected] 2-another with [email protected] or [email protected] etc 3-Emails of both accounts will come at [email protected] fix: Dont allow "+" in emails. Thank...

cPanel 5/6 / Formail-Clone - E-Mail Restriction Bypass

source: https://www.securityfocus.com/bid/7758/info It has been reported that cPanel is prone to an issue where a remote attacker may bypass cPanel Formail-clone local domain checks and have untrusted e-mail delivered in the context of the vulnerable host. This issue may be exploited by an attack...