Lucene search
K

5092 matches found

Snyk
Snyk
added 2025/12/08 10:19 p.m.3 views

Open Redirect

Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain...

8.5CVSS7.3AI score
Exploits0References2
NVD
NVD
added 2025/12/08 12:16 p.m.4 views

CVE-2025-42615

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS0.00324EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/12/08 12:1 p.m.3 views

CVE-2025-42615 Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS6.6AI score0.00324EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/08 12:1 p.m.4 views

EUVD-2025-201703

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS6.5AI score0.00324EPSS
Exploits0References2
Malwarebytes
Malwarebytes
added 2025/12/08 8:3 a.m.5 views

A week in security (December 1 – December 7)

Last week on Malwarebytes Labs: Leaks show Intellexa burning zero-days to keep Predator spyware running How scammers use fake insurance texts to steal your identity Canadian police trialing facial recognition bodycams Update Chrome now: Google fixes 13 security issues affecting billions Attackers...

7.1AI score
Exploits0
Positive Technologies
Positive Technologies
added 2025/12/08 12:0 a.m.5 views

PT-2025-49549

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

8.1CVSS7AI score0.00324EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/12/05 9:34 p.m.10 views

CVE-2025-27935

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

8.6CVSS7.1AI score0.00367EPSS
Exploits0References1
NVD
NVD
added 2025/12/05 6:15 p.m.4 views

CVE-2025-66558

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...

4.3CVSS0.00226EPSS
Exploits0References4
EUVD
EUVD
added 2025/12/05 6:0 p.m.5 views

EUVD-2025-201460

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...

3.1CVSS6.1AI score0.00226EPSS
Exploits0References4
OSV
OSV
added 2025/12/05 6:0 p.m.7 views

CVE-2025-66558 Nextcloud Twofactor WebAuthn app was updated based on public key

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...

3.1CVSS6.5AI score0.00226EPSS
Exploits0References6
CNNVD
CNNVD
added 2025/12/05 12:0 a.m.6 views

WebAuthn second factor provider for Nextcloud 安全漏洞

WebAuthn second factor provider for Nextcloud is an open source two-factor authentication software from Nextcloud. A security vulnerability exists in WebAuthn second factor provider for Nextcloud versions prior to 1.4.2 and prior to 2.4.1, which stems from a lack of ownership checking and could...

4.3CVSS6.6AI score0.00226EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/05 12:0 a.m.5 views

PT-2025-49302

Name of the Vulnerable Software and Affected Versions Nextcloud Twofactor WebAuthn versions prior to 1.4.2 Nextcloud Twofactor WebAuthn versions prior to 2.4.1 Description A missing ownership check allows an attacker to remove a user's WebAuthn two-factor authentication device by correctly guessi...

4.3CVSS6.7AI score0.00226EPSS
Exploits0References9
NVD
NVD
added 2025/12/04 9:16 p.m.5 views

CVE-2025-27935

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

8.6CVSS0.00367EPSS
Exploits0References2
EUVD
EUVD
added 2025/12/04 8:38 p.m.6 views

EUVD-2025-201281

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

8.6CVSS6.6AI score0.00367EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/12/04 8:38 p.m.11 views

CVE-2025-27935 Authentication Bypass in OTP (One-time Passcode) IdP Adapter Integration Kit

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

8.6CVSS6.7AI score0.00367EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/12/04 12:0 a.m.5 views

PT-2025-49136

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

8.6CVSS7.1AI score0.00367EPSS
Exploits0References3
CNNVD
CNNVD
added 2025/12/04 12:0 a.m.4 views

Ping Identity One-Time Passcode Integration Kit for PingFederate 安全漏洞

Ping Identity One-Time Passcode Integration Kit for PingFederate is a suite of software tools and adapters from Ping Identity USA. A security vulnerability exists in Ping Identity One-Time Passcode Integration Kit for PingFederate that stems from not properly validating the HTTP method and state,...

8.6CVSS6.6AI score0.00367EPSS
Exploits0References2
Malwarebytes
Malwarebytes
added 2025/12/03 3:44 p.m.4 views

Attackers have a new way to slip past MFA in educational orgs

Researchers are warning about a rise in cases of attackers using Evilginx to steal session cookies among educational institutions—letting them bypass the need for a multi-factor authentication MFA token. Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real...

7AI score
Exploits0
Patchstack
Patchstack
added 2025/12/02 10:3 a.m.11 views

WordPress WP 2FA plugin <= 2.9.3 - 2-Factor Authentication Bypass vulnerability

2-Factor Authentication Bypass vulnerability discovered by Benjamin Nadarević in WordPress Plugin WP 2FA versions = 2.9.3...

6.3CVSS6.7AI score0.00179EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2025/12/02 12:36 a.m.5 views

EUVD-2025-200110

Grav is vulnerable to Arbitrary File Read...

8.5CVSS6.4AI score0.00397EPSS
Exploits1References3
Rows per page
Query Builder