5092 matches found
Open Redirect
Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain...
CVE-2025-42615
In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...
CVE-2025-42615 Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup
In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...
EUVD-2025-201703
In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...
A week in security (December 1 – December 7)
Last week on Malwarebytes Labs: Leaks show Intellexa burning zero-days to keep Predator spyware running How scammers use fake insurance texts to steal your identity Canadian police trialing facial recognition bodycams Update Chrome now: Google fixes 13 security issues affecting billions Attackers...
PT-2025-49549
In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...
CVE-2025-27935
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...
CVE-2025-66558
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...
EUVD-2025-201460
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...
CVE-2025-66558 Nextcloud Twofactor WebAuthn app was updated based on public key
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would...
WebAuthn second factor provider for Nextcloud 安全漏洞
WebAuthn second factor provider for Nextcloud is an open source two-factor authentication software from Nextcloud. A security vulnerability exists in WebAuthn second factor provider for Nextcloud versions prior to 1.4.2 and prior to 2.4.1, which stems from a lack of ownership checking and could...
PT-2025-49302
Name of the Vulnerable Software and Affected Versions Nextcloud Twofactor WebAuthn versions prior to 1.4.2 Nextcloud Twofactor WebAuthn versions prior to 2.4.1 Description A missing ownership check allows an attacker to remove a user's WebAuthn two-factor authentication device by correctly guessi...
CVE-2025-27935
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...
EUVD-2025-201281
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...
CVE-2025-27935 Authentication Bypass in OTP (One-time Passcode) IdP Adapter Integration Kit
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...
PT-2025-49136
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...
Ping Identity One-Time Passcode Integration Kit for PingFederate 安全漏洞
Ping Identity One-Time Passcode Integration Kit for PingFederate is a suite of software tools and adapters from Ping Identity USA. A security vulnerability exists in Ping Identity One-Time Passcode Integration Kit for PingFederate that stems from not properly validating the HTTP method and state,...
Attackers have a new way to slip past MFA in educational orgs
Researchers are warning about a rise in cases of attackers using Evilginx to steal session cookies among educational institutions—letting them bypass the need for a multi-factor authentication MFA token. Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real...
WordPress WP 2FA plugin <= 2.9.3 - 2-Factor Authentication Bypass vulnerability
2-Factor Authentication Bypass vulnerability discovered by Benjamin Nadarević in WordPress Plugin WP 2FA versions = 2.9.3...
EUVD-2025-200110
Grav is vulnerable to Arbitrary File Read...