auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

Summary The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a...

CVE-2025-49600

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsverify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS Leighton-Micali Signature forgery in a fault scenario. Specifically, unchecked return values in mbedtlslmsverify allow an attacker who can induce ...

GHSA-38X7-CC6W-J27Q TYPO3 Information Disclosure via Exception Handling/Logger

Problem It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect. Solution Update to TYPO3 versions 13.4.3 LTS that fixes the problem described. Credits Thanks to TYPO3 core & security team member...

PT-2025-3142 · Typo3 · Typo3

Name of the Vulnerable Software and Affected Versions: TYPO3 versions prior to 13.4.3 ELTS Description: A problem has been discovered where the install tool password is logged as plaintext if the password hashing mechanism used for the password was incorrect. There are no known workarounds for th...

PT-2016-2810

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 7.3 Description The issue is related to a password hashing error in the ssh network protocol. When SHA256 or SHA512 are used for user password hashing, a timing difference in responses can be leveraged by remote...