Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

1491 matches found

Prion
Prionadded 2021/09/28 9:15 p.m.16 views

Design/Logic Flaw

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as...

2.1CVSS4.1AI score0.00034EPSS
Exploits0References3Affected Software1
CVE
CVEadded 2021/09/28 8:50 p.m.86 views

CVE-2021-41106

The CVE-2021-41106 issue affects the LCobucci JWT library. Before versions 3.4.6, 4.0.4, and 4.1.5, when using HMAC-based algorithms (HS256/384/512) with LocalFileReference as the key, tokens were issued/validated using the file path instead of the file contents. This effectively means the key ma...

4.4CVSS4AI score0.00034EPSS
Exploits0References3Affected Software1
Cvelist
Cvelistadded 2021/09/28 8:50 p.m.12 views

CVE-2021-41106 File reference keys leads to incorrect hashes on HMAC algorithms

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as...

4.4CVSS5.1AI score0.00034EPSS
Exploits0References3
Friends Of PHP
Friends Of PHPadded 2021/09/28 7:36 p.m.16 views

CVE-2021-41106: File reference keys leads to incorrect hashes on HMAC algorithms

Description Impact Users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and,...

2.1CVSS0.2AI score0.00034EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHPadded 2021/09/28 7:36 p.m.15 views

CVE-2021-41106: File reference keys leads to incorrect hashes on HMAC algorithms

Impact Users of HMAC-based algorithms HS256, HS384, and HS512 combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users...

4.4CVSS4.4AI score0.00034EPSS
Exploits0Affected Software1
Tenable Nessus
Tenable Nessusadded 2021/09/23 12:0 a.m.1134 views

SSH SHA-1 HMAC Algorithms Enabled

The remote SSH server is configured to enable SHA-1 HMAC algorithms. Although NIST has formally deprecated use of SHA-1 for digital signatures, SHA-1 is still considered secure for HMAC as the security of HMAC does not rely on the underlying hash function being resistant to collisions. Note that...

5.5AI score
Exploits0
IBM Security Bulletins
IBM Security Bulletinsadded 2021/09/22 11:5 p.m.37 views

Security Bulletin: Vulnerability in GnuTLS affects Power Hardware Management Console ( CVE-2018-10845 CVE-2018-10844)

Summary It was found that GnuTLS's implementation of HMAC-SHA-384 and HMAC-SHA-256 was vulnerable to a Lucky Thirteen-style attack. A remote attacker could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets...

5.9CVSS0.4AI score0.00766EPSS
Exploits0Affected Software1
Github Security Blog
Github Security Blogadded 2021/08/25 8:44 p.m.25 views

Algorithms compute incorrect results in blake2

An issue was discovered in the blake2 crate before 0.8.1 for Rust. The BLAKE2b and BLAKE2s algorithms, when used with HMAC, produce incorrect results because the block sizes are half of the required sizes...

9.8CVSS1.7AI score0.00203EPSS
Exploits0References4Affected Software1
OSV
OSVadded 2021/08/25 8:44 p.m.14 views

GHSA-4X25-PVHW-5224 Algorithms compute incorrect results in blake2

An issue was discovered in the blake2 crate before 0.8.1 for Rust. The BLAKE2b and BLAKE2s algorithms, when used with HMAC, produce incorrect results because the block sizes are half of the required sizes...

9.8CVSS9.5AI score0.00203EPSS
Exploits0References4
0day.today
0day.todayadded 2021/08/05 12:0 a.m.122 views

GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated) Exploit

Exploit Title: GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload Unauthenticated Exploit Author: Amin Bohio Original Research & Code By: Paul Taylor / Foregenix Ltd Original Exploit: https://github.com/bao7uo/RAUcrypto Vendor Homepage: https://www.gfi.com Software Link:...

7.4AI score
Exploits0
Metasploit
Metasploitadded 2021/07/23 5:45 p.m.70 views

Apache Tapestry HMAC secret key leak

This exploit finds the HMAC secret key used in Java serialization by Apache Tapestry. This key is located in the file AppModule.class by default and looks like the standard representation of UUID in hex digits hd : 6hd-4hd-4hd-4hd-12hd If the HMAC key has been changed to look differently, this...

10CVSS9.3AI score0.93938EPSS
Exploits5
GithubExploit
GithubExploitadded 2021/06/25 1:55 p.m.268 views

Exploit for Deserialization of Untrusted Data in Apache Tapestry

CVE-2021-27850 Exploit Overview CVE-2021-27850 is a...

10CVSS9.9AI score0.93938EPSS
Exploits5
Github Security Blog
Github Security Blogadded 2021/06/23 5:14 p.m.49 views

Integer Overflow in go-jose

go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures...

7.5CVSS4.5AI score0.00274EPSS
Exploits0References6Affected Software1
OSV
OSVadded 2021/06/23 5:14 p.m.15 views

GHSA-3FX4-7F69-5MMG Integer Overflow in go-jose

go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures...

7.5CVSS7.7AI score0.00274EPSS
Exploits0References5
Github Security Blog
Github Security Blogadded 2021/06/22 3:15 p.m.58 views

Form validation can be skipped

Impact By crafting a special GET request containing a valid form state, a form can be submitted without invoking any validators. We consider the severity low because it is not possible to change any form values since the form state is secured with an HMAC that is still verified. That means that...

6.5CVSS0.4AI score0.00396EPSS
Exploits0References8Affected Software1
OSV
OSVadded 2021/06/21 7:15 p.m.11 views

CVE-2021-32697

neos/forms is an open source framework to build web forms. By crafting a special GET request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form...

5.3CVSS5.5AI score
Exploits0References5
NVD
NVDadded 2021/06/21 7:15 p.m.9 views

CVE-2021-32697

neos/forms is an open source framework to build web forms. By crafting a special GET request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form...

6.5CVSS0.00396EPSS
Exploits0References5
Prion
Prionadded 2021/06/21 7:15 p.m.11 views

Design/Logic Flaw

neos/forms is an open source framework to build web forms. By crafting a special GET request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form...

5CVSS5.4AI score0.00396EPSS
Exploits0References5Affected Software1
Cvelist
Cvelistadded 2021/06/21 6:15 p.m.12 views

CVE-2021-32697 Form validation can be skipped

neos/forms is an open source framework to build web forms. By crafting a special GET request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form...

6.5CVSS6.8AI score0.00396EPSS
Exploits0References5
Friends Of PHP
Friends Of PHPadded 2021/06/21 5:0 p.m.24 views

Form validation can be skipped in neos/form

Impact By crafting a special GET request containing a valid form state, a form can be submitted without invoking any validators. We consider the severity low because it is not possible to change any form values since the form state is secured with an HMAC that is still verified. That means that...

6.5CVSS5.9AI score0.00396EPSS
Exploits0Affected Software1
Rows per page
Query Builder