Use Of Hard-Coded Credentials

@evershop/evershop is vulnerable to the Use Of Hard-Coded Credentials. The vulnerability is due to the exposure of a weak HMAC secret. Attackers can use the predictable secret to create valid JSON Web Tokens JWT, which allows them access to sensitive information...

EulerOS 2.0 SP8 : samba (EulerOS-SA-2023-3157)

According to the versions of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbinddpamauthcrap.c. When performing NTLM...

Pmkidcracker - A Tool To Crack WPA2 Passphrase With PMKID Value Without Clients Or De-Authentication

This program is a tool written in Python to recover the pre-shared key of a WPA2 WiFi network without any de-authentication or requiring any clients to be on the network. It targets the weakness of certain access points advertising the PMKID value in EAPOL message 1. Program Usage python...

GHSA-32R3-57HP-CGFW EverShop at risk to unauthorized access via weak HMAC secret

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

EverShop at risk to unauthorized access via weak HMAC secret

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

CVE-2023-46943

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

Hardcoded credentials

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

CVE-2023-46943

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

CVE-2023-46943

CVE-2023-46943 affects the NodeJS package @evershop/evershop prior to version 1.0.0-rc.8 (and similarly referenced in later advisories). The underlying issue is a hardcoded HMAC secret value of “secret” used to generate tokens, which enables an attacker to forge valid JSON Web Tokens (JWTs). This...

CVE-2023-46943

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...

Medium: python

Issue Overview: An issue was discovered in comparedigest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.comparedigest. CVE-2022-48566 Affected Packages: python Note: This advisory is applicable to Amazon Linux 2 AL2...

Slackware Linux 14.2 / 15.0 / current libssh Multiple Vulnerabilities (SSA:2023-353-01)

The version of libssh installed on the remote host is prior to 0.10.6. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2023-353-01 advisory. - The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote...

CVE-2023-48707

CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. The secretKey value is an important key for HMAC SHA256 authentication and in affected versions was stored in the database in cleartext form. If a malicious person somehow had access to the data in the database,...

CVE-2023-48707

The CVE-2023-48707 entry concerns CodeIgniter Shield (CodeIgniter 4) where the secretKey used for HMAC SHA256 authentication was stored in cleartext in the database in affected versions. This plaintext storage enables an attacker with DB access to misuse the secretKey to impersonate users via HMA...

Sensitive Information Stored In Clear Text

codeigniter4 is vulnerable to Sensitive Information Disclosure. The vulnerability is due to storing the secretKey for HMAC SHA256 authentication in a raw format. An attacker can exploit this flaw if they gain access to the database and then send requests impersonating any person in the system usi...

GHSA-V427-C49J-8W6X Cleartext Storage of Sensitive Information in HMAC SHA256 Authentication

Impact secretKey, an important key for HMAC SHA256 authentication, was stored in the database in raw form. If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that person. Patches...

Cleartext Storage of Sensitive Information in HMAC SHA256 Authentication

Impact secretKey, an important key for HMAC SHA256 authentication, was stored in the database in raw form. If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that person. Patches...

Patch Tuesday - November 2023

Microsoft is addressing 64 vulnerabilities this November Patch Tuesday, including five zero-day vulnerabilities as well as one critical remote code execution RCE vulnerability. Overall, this month sees significantly fewer vulnerabilities addressed across a smaller number of products than has been...

CVE-2023-47640

DataHub is an open-source metadata platform. The HMAC signature for DataHub Frontend sessions was being signed using a SHA-1 HMAC with the frontend secret key. SHA1 with a 10 byte key can be brute forced using sufficient resources i.e. state level actors with large computational capabilities...

Default credentials

DataHub is an open-source metadata platform. The HMAC signature for DataHub Frontend sessions was being signed using a SHA-1 HMAC with the frontend secret key. SHA1 with a 10 byte key can be brute forced using sufficient resources i.e. state level actors with large computational capabilities...