1662 matches found
com.softwaremill.akka-http-session:jwt_2.13 (>=0.5.7 <=0.6.0) potentially affected by CVE-2020-28452 via com.softwaremill.akka-http-session:core_2.13 (>=0.5.10 <=0.6.0)
com.softwaremill.akka-http-session:core2.13 MAVEN version =0.5.10, =0.5.7, =0.6.0 Source cves: CVE-2020-28452 Source advisory: SNYK:JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1058933...
CVE-2020-9049
A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid...
Authorization
A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid...
CVE-2020-9049 victor Web Client and C•CURE Web Client JSON Web Token (JWT) Vulnerability
A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid...
CVE-2020-9049
CVE-2020-9049 affects Johnson Controls Victor Web Client and Software House C•CURE Web Client. Affected products: victor Web Client up to v5.6 and C•CURE Web Client up to v2.90; mitigations include upgrading to victor v5.6 SP1 and C•CURE Web Client v2.70+ with updates (Web Client_c2.70_5.2_Update...
DEBIAN-CVE-2019-20933
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret aka shared secret...
UBUNTU-CVE-2019-20933
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret aka shared secret...
Influxdata InfluxDB 授权问题漏洞
InfluxDB is an open source temporal database developed by InfluxData. An authentication bypass vulnerability exists in the authenticate function in services/httpd/handler.go in versions prior to InfluxDB 1.7.6. The vulnerability stems from the fact that JWT tokens may have an empty SharedSecret. ...
DEBIAN-CVE-2020-26521
The JWT library in NATS nats-server before 2.1.9 allows a denial of service a nil dereference in Go code...
DEBIAN-CVE-2020-26892
The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled...
UBUNTU-CVE-2020-26521
The JWT library in NATS nats-server before 2.1.9 allows a denial of service a nil dereference in Go code...
Improper Authentication
Overview react-adal is an Azure Active Directory Library ADAL support for ReactJS. Affected versions of this package are vulnerable to Improper Authentication. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly...
CVE-2020-26511
The wpo365-login plugin before v11.7 for WordPress allows use of a symmetric algorithm to decrypt a JWT token. This leads to authentication bypass...
DEBIAN-CVE-2020-26160
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with string for m"aud" which is allowed by the specification. Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lac...
AZL-41684 CVE-2020-26160 affecting package dcos-cli for versions less than 1.2.0-15
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with string for m"aud" which is allowed by the specification. Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lac...
Insecure Authentication
authmagic-timerange-stateless-core uses insecure authentication. When comparing signatures in the JSON web token JWT and refreshToken, the package does not verify the JWT token sent by user before reissuing a new token, allowing an attacker to forge a user's identity by modifying the payload and...
PT-2020-7931
Name of the Vulnerable Software and Affected Versions: jws versions prior to 3.0.0 Description: The issue allows a malicious actor to modify the contents of a JWT while still passing verification, potentially leading to a complete authentication bypass. This can be achieved by exploiting the...
h1-ctf: [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool
H1-2006 CTF Writeup F859938 Summary: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of...
Critical 'Sign in with Apple' Bug Could Have Let Attackers Hijack Anyone's Account
Apple recently paid Indian vulnerability researcher Bhavuk Jain a huge $100,000 bug bounty for reporting a highly critical vulnerability affecting its 'Sign in with Apple ' system. The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted...
How An Image Could've Let Attackers Hack Microsoft Teams Accounts
Microsoft has patched a worm-like vulnerability in its Teams workplace video chat and collaboration platform that could have allowed attackers to take over an organization's entire roster of Teams accounts just by sending participants a malicious link to an innocent-looking image. The flaw,...