MAL-2025-144547 Malicious code in loopback-firebase-postgres-luna (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2789696425e4ec276c93faea29470a11265e41a4117bcdbc14f88a208240a63e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in kronos-hexo-nodemon-firebase (npm)

The package kronos-hexo-nodemon-firebase was found to contain malicious code...

CVE-2025-55306

GenXFX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud resources Google Cloud...

CVE-2025-55306

GenX_FX backend vulnerability: environment-variable misconfiguration can expose API keys and authentication tokens, enabling unauthorized access to cloud resources (Google Cloud, Firebase, GitHub, etc.). Impact is high (credential exposure with potential full resource access) as reported across m...

CVE-2025-55306 GenX_FX authentication bypass in JWT validation

GenXFX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud resources Google Cloud...

PT-2025-33428 · WordPress · Woocommerce Otp Login With Phone Number

Name of the Vulnerable Software and Affected Versions: WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress versions up to and including 1.8.47 Description: The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is susceptible to authenticatio...

MAL-2025-17602 Malicious code in corvus-firebase-exobiology-callback (npm)

The package corvus-firebase-exobiology-callback was found to contain malicious code...

Malicious code in corvus-firebase-exobiology-callback (npm)

The package corvus-firebase-exobiology-callback was found to contain malicious code...

MAL-2025-25658 Malicious code in luminescence-hexo-firebase-kuiperbelt (npm)

The package luminescence-hexo-firebase-kuiperbelt was found to contain malicious code...

PT-2024-36175 · Appgenixinfotech · Firebase Otp Authentication

Name of the Vulnerable Software and Affected Versions: appgenixinfotech Firebase OTP Authentication versions 1.0.1 and earlier Description: The issue is related to an Authentication Bypass Using an Alternate Path or Channel, allowing unauthorized access. This is a problem where the authentication...

Cross-site Scripting (XSS)

firebase is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper handling of the "FIREBASEDEFAULTS" cookie, which allows attackers to manipulate the "authTokenSyncURL" field and redirect user session data to a malicious server...

GHSA-3WF4-68GX-MPH8 Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

Firebase JavaScript SDK utilizes a "FIREBASEDEFAULTS" cookie to store configuration data, including an "authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "authTokenSyncURL" to point to thei...

Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

Firebase JavaScript SDK utilizes a "FIREBASEDEFAULTS" cookie to store configuration data, including an "authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "authTokenSyncURL" to point to thei...

CVE-2024-11023

Firebase JavaScript SDK utilizes a "FIREBASEDEFAULTS" cookie to store configuration data, including an "authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "authTokenSyncURL" to point to thei...

CVE-2024-11023 Session Hijacking in Firebase JavaScript SDK

Firebase JavaScript SDK utilizes a "FIREBASEDEFAULTS" cookie to store configuration data, including an "authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "authTokenSyncURL" to point to thei...

CVE-2024-9863 Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'defaultuserrole' option. This makes it possible for unauthenticated attackers to register an...

CVE-2024-9863 Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value

The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'defaultuserrole' option. This makes it possible for unauthenticated attackers to register an administrator user even if the...

CVE-2024-9862 Miniorange OTP Verification with Firebase <= 3.6.0 - Unauthenticated Arbitrary User Password Change

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and t...

WordPress plugin Miniorange OTP Verification with Firebase 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...

WordPress Miniorange OTP Verification with Firebase Plugin <= 3.6.0 is vulnerable to Broken Authentication

Software Miniorange OTP Verification with Firebase Type Plugin Vulnerable versions = 3.6.0 Fixed in 3.6.1 OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2024-9861 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID...