GHSA-5FP7-G646-CCF4 Ghost has Staff 2FA bypass

Impact A vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. Vulnerable versions This vulnerability is present in Ghost v5.105.0 to v5.130.5 to and Ghost v6.0.0 to v6.10.3. Patches v5.130.6 and v6.11.0 contain a fix for this issue. References Ghost thanks Sho Odagiri of G...

Ghost has Staff 2FA bypass

Impact A vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. Vulnerable versions This vulnerability is present in Ghost v5.105.0 to v5.130.5 to and Ghost v6.0.0 to v6.10.3. Patches v5.130.6 and v6.11.0 contain a fix for this issue. References Ghost thanks Sho Odagiri of G...

Lone Hacker Used Infostealers to Access Data at 50 Global Companies

A Hudson Rock report reveals how an Iranian hacker named Zestix breached 50 global companies, including Iberia Airlines and Pickett & Associates, by using stolen passwords and a lack of MFA...

Microsoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing

Threat actors engaging in phishing attacks are exploiting routing scenarios and misconfigured spoof protections to impersonate organizations' domains and distribute emails that appear as if they have been sent internally. "Threat actors have leveraged this vector to deliver a wide variety of...

CVE-2019-16917

WiKID Enterprise 2FA two factor authentication Enterprise Server through 4.2.0-b2047 is vulnerable to SQL injection through the searchDevices.jsp endpoint. The uid and domain parameters are used, unsanitized, in a SQL query constructed in the buildSearchWhereClause function...

CVE-2019-12363

An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa=deactivate or usercp.php?action=mybb2fa=activate. A deactivate operation lowers the security ...

CVE-2025-69197

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This...

CVE-2019-16766

When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0...

Security Advisory: Credential Theft Incidents - ownCloud

Comprehensive MFA options with administrative controls to enforce policies organization-wide, plus alerts when risky settings are used Embedded network and web application firewalls that are pre-configured and continuously updated—no customer maintenance required Zero-trust architecture with...

GHSA-RGMP-4873-R683 Pterodactyl TOTPs can be reused during validity window

Summary When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently marked as used in the system allowing an attacker that intercepts that token to then use it in addition to a known username/password during the token...

Pterodactyl TOTPs can be reused during validity window

Summary When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently marked as used in the system allowing an attacker that intercepts that token to then use it in addition to a known username/password during the token...

Insufficient Session Expiration

Overview pterodactyl/panel is a game management panel. Affected versions of this package are vulnerable to Insufficient Session Expiration via the authentication process. An attacker can gain unauthorized access by reusing a valid TOTP token within its validity window after intercepting it. Note:...

CVE-2025-69197 Pterodactyl TOTPs can be reused during validity window

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This...

CVE-2025-69197 Pterodactyl TOTPs can be reused during validity window

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This...

CVE-2025-69197 Pterodactyl TOTPs can be reused during validity window

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This...

CVE-2025-69197

Pterodactyl Panel (versions

SUSE CVE-2025-67495

ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the postlogoutredirect GET parameter. As a result, unauthenticate...

defacemeter

DefaceMeter DefaceMeter is a small, static, browser-based pro...

CVE-2025-56333

An issue in Fossorial fosrl/pangolin v.1.6.2 and before allows a remote attacker to escalate privileges via the 2FA component...

PT-2025-54218

Name of the Vulnerable Software and Affected Versions FortiOS affected versions not specified Description A flaw in FortiOS allows bypassing of multi-factor authentication MFA through manipulation of username case. This issue is currently being exploited. The exploitation involves tricking the...