Lucene search
K

35 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.11 views

CVE-2026-45179

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured for example, by sending UDP packets to a host on another network, then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no...

5.3CVSS5.4AI score0.00219EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/22 12:0 a.m.10 views

Typebot 安全漏洞

Typebot is an open-source chat bot builder developed by Baptiste Arnaud. Versions of Typebot 3.16.0 and earlier contained a security vulnerability. This vulnerability stemmed from the WhatsApp Cloud API webhook endpoint not verifying the x-hub-signature-256 HMAC signature, allowing unauthenticate...

6.5CVSS5.8AI score0.0014EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/10 12:0 a.m.15 views

PT-2026-39533

Name of the Vulnerable Software and Affected Versions Plack::Middleware::Statsd versions prior to 0.9.0 Description Plack::Middleware::Statsd for Perl may leak user IP addresses. This occurs if the communication channel to the statsd daemon is not secured, such as when sending UDP packets to a ho...

5.3CVSS5.8AI score0.00219EPSS
Exploits0References8
OSV
OSV
added 2026/05/06 10:26 p.m.5 views

GHSA-GMVF-9V4P-V8JC fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver

Summary A critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string '', for example via the common keysdecoded.header.ki...

9.1CVSS6AI score0.00236EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/06 10:26 p.m.13 views

fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver

Summary A critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string '', for example via the common keysdecoded.header.ki...

9.1CVSS6AI score0.00236EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.10 views

WordPress plugin JetEngine SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

7.5CVSS5.8AI score0.00322EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/02/26 4:15 a.m.7 views

CVE-2026-26717

An issue in OpenFUN Richie LMS in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the synccourserunfromrequest function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response...

4.8CVSS5.5AI score0.00376EPSS
Exploits0References1
CVE
CVE
added 2025/12/04 6:45 p.m.46 views

CVE-2025-65945

CVE-2025-65945 affects auth0/node-jws (Node.js). In affected versions (3.2.2 and earlier; 4.0.0) there is an improper HS256 signature verification under specific conditions when using jws.createVerify() with user-provided header/payload data in HMAC secret lookups. IBM bulletins corroborate the i...

7.5CVSS6.4AI score0.002EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-1379

Malicious code in bioql PyPI...

5.3CVSS5.5AI score0.0047EPSS
Exploits0References7
Cvelist
Cvelist
added 2025/06/02 4:23 p.m.20 views

CVE-2025-48995 SignXML's signature verification with HMAC is vulnerable to a timing attack

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...

6.9CVSS0.00199EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/23 10:49 a.m.29 views

CVE-2024-25714

In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. The fix uses gnutlsmemcmp, which has constant-time execution...

9.8CVSS6.7AI score0.00814EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 8:44 a.m.6 views

CVE-2024-34358

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the ShowImageController eID txcmsshowpic lacks a cryptographic HMAC-signature on the frame HTTP query parameter e.g...

5.3CVSS6.8AI score0.0047EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 3:50 a.m.12 views

CVE-2023-32694

Saleor Core is a composable, headless commerce API. Saleor's validatehmacsignature function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could...

5.4CVSS6.6AI score0.00341EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 12:16 p.m.9 views

CVE-2012-1605

The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature HMAC for a request argument."...

5CVSS7.9AI score0.02365EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2025/03/05 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2024-25714

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side- channel attacks, because it stops the comparison when...

9.8CVSS5.4AI score0.00814EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2024/05/14 8:13 p.m.32 views

TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController

Problem The ShowImageController eID txcmsshowpic lacks a cryptographic HMAC-signature on the frame HTTP query parameter e.g. /index.php?eID=txcmsshowpic?file=3&...&frame=12345. This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side...

5.3CVSS5.4AI score0.0047EPSS
Exploits0References7Affected Software1
Cvelist
Cvelist
added 2024/05/14 2:26 p.m.35 views

CVE-2024-34358 TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the ShowImageController eID txcmsshowpic lacks a cryptographic HMAC-signature on the frame HTTP query parameter e.g...

5.3CVSS5.5AI score0.0047EPSS
Exploits0References5
CVE
CVE
added 2024/05/14 2:26 p.m.67 views

CVE-2024-34358

TYPO3 ShowImageController vulnerability: the frame parameter is not cryptographically HMAC-signed, allowing an attacker to trigger server-side generation of thumbnails and potentially exhaust resources. Affected are TYPO3 versions 9.0.0 up to, but not including, 9.5.48 ELTS; 10.4.45 ELTS; 11.5.37...

5.3CVSS5.2AI score0.0047EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2024/02/11 12:0 a.m.15 views

CVE-2024-25714

In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. The fix uses gnutlsmemcmp, which has constant-time execution...

9.1CVSS6.7AI score0.00814EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2024/02/11 12:0 a.m.15 views

CVE-2024-25714

In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. The fix uses gnutlsmemcmp, which has constant-time execution...

6.7AI score0.00814EPSS
Exploits0References1
Rows per page
Query Builder