Lucene search
K

152 matches found

wpexploit
wpexploit
added 2022/02/28 12:0 a.m.235 views

miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion

The plugin does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. Note: The initial issue was fixed in...

8.1CVSS3.2AI score0.00543EPSS
Exploits2
Wired Threat Level
Wired Threat Level
added 2021/10/18 11:0 a.m.15 views

How to Switch From Google Authenticator to Another 2FA App

Yes, you can choose another two-factor authentication app without getting locked out of your accounts...

2.5AI score
Exploits0
WPVulnDB
WPVulnDB
added 2021/08/10 12:0 a.m.8 views

miniOrange's Google Authenticator < 5.4.40 - Reflected Cross-Site Scripting

The plugin does not escape the user parameter before outputting it back in an attribute in the dashboard page to confirm the 2FA reset, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/users.php?page=reset=resetedit="...

0.5AI score
Exploits0Affected Software1
wpexploit
wpexploit
added 2021/08/10 12:0 a.m.658 views

miniOrange's Google Authenticator < 5.4.40 - Reflected Cross-Site Scripting

The plugin does not escape the user parameter before outputting it back in an attribute in the dashboard page to confirm the 2FA reset, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/users.php?page=reset&action=resetedit&user="alert/XSS/...

0.6AI score
Exploits0
OSV
OSV
added 2021/08/02 4:47 p.m.2 views

GHSA-Q39C-5VH5-VW2P Improper Authentication in Apereo CAS

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

7.5CVSS5.8AI score0.01219EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2021/08/02 4:47 p.m.57 views

Improper Authentication in Apereo CAS

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

7.5CVSS7.4AI score0.01219EPSS
Exploits0References3Affected Software2
ThreatPost
ThreatPost
added 2021/05/12 12:41 p.m.36 views

TeaBot Trojan Targets Banks via Hijacked Android Handsets

Researchers have discovered an Android trojan that can steal victims’ SMS messages and credentials and completely take over devices. The trojan, dubbed TeaBot, is aimed at committing fraud against at least 60 banks in Europe. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS ...

5.5AI score
Exploits0References13
Hacker One
Hacker One
added 2021/03/29 6:25 a.m.66 views

HackerOne: Changing the 2FA secret key and backup codes without knowing the 2FA OTP

Summary: After the setup of 2FA, disabling or editing it should require the 2FA OTP. But it can be bypassed. Steps To Reproduce: 1 Sign in to a new HackerOne account. 2 Setup 2FA; and 3 Try to disable it without knowing the OTP. You can't, you need to know the Authentication Code or Backup Code...

1.6AI score
Exploits0
The Hacker News
The Hacker News
added 2021/01/28 1:44 p.m.62 views

Italy CERT Warns of a New Credential Stealing Android Malware

Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. Dubbed "Oscorp" by Italy's CERT-AGID and spotted by AddressIntel, the malware "induces the user to install an accessibility service wi...

0.6AI score
Exploits0
Veracode
Veracode
added 2020/10/19 7:36 a.m.21 views

Information Disclosure

cas-server-support-otp-mfa is vulnerable to information disclosure. The vulnerability exists as the user's secret key is sent as a GET parameter in an img tag when Google Authenticator is used...

7.5CVSS1.5AI score0.01219EPSS
Exploits0References2Affected Software2
OSV
OSV
added 2020/10/16 4:15 p.m.22 views

CVE-2020-27178

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

7.5CVSS6.9AI score
Exploits0References1
NVD
NVD
added 2020/10/16 4:15 p.m.22 views

CVE-2020-27178

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

7.5CVSS0.01219EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2020/10/16 4:15 p.m.5 views

CVE-2020-27178

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

7.5CVSS5.3AI score0.01219EPSS
Exploits0References2
Prion
Prion
added 2020/10/16 4:15 p.m.18 views

Authentication flaw

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

5CVSS7.6AI score0.01219EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2020/10/16 3:22 p.m.91 views

CVE-2020-27178

CVE-2020-27178 affects Apereo CAS in multiple lines: 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4. The root cause is mishandling of secret keys used for Google Authenticator-based multifactor authentication. This can lead to improper handling of MFA secr...

7.5CVSS7.5AI score0.01219EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2020/10/16 3:22 p.m.26 views

CVE-2020-27178

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...

7.5AI score0.01219EPSS
Exploits0References1
Kitploit
Kitploit
added 2020/08/13 12:30 p.m.53 views

Bastillion - A Web-Based SSH Console That Centrally Manages Administrative Access To Systems

Bastillion is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users. Administrators can logi...

7.3AI score
Exploits0References9
OSV
OSV
added 2020/07/30 1:15 p.m.5 views

CVE-2020-8206

An improper authentication vulnerability exists in Pulse Connect Secure 9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP...

8.1CVSS6.7AI score0.02991EPSS
Exploits0References1
Prion
Prion
added 2019/05/13 7:29 p.m.17 views

Authentication flaw

Citrix ShareFile before 19.23 allows a downgrade from two-factor authentication to one-factor authentication. An attacker with access to the offline victim's otp physical token or virtual app like google authenticator is able to bypass the first authentication phase username/password mechanism an...

4.3CVSS5.7AI score0.01233EPSS
Exploits1References1Affected Software1
Trend Micro Simply Security
Trend Micro Simply Security
added 2018/03/13 1:27 p.m.66 views

Two-Factor Authentication: What is it and why do I need it to stay safe online?

Today, Americans are living more and more of their lives on the internet. We shop, bank, socialize, work and play online. But as our digital lives become increasingly important, they are also exposed to greater risks. Hackers are lurking around every corner ready to steal our identities, drain ou...

7.5AI score
Exploits0
Rows per page
Query Builder