CVE-2026-43827 Apache Shiro: Session fixation: new session is not created after login by default

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already...

EUVD-2026-31736

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already...

EUVD-2025-209166

The login mechanism of Sage DPW 202106004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 202106000. On-premise administrators can toggle this behavior in newer versions...

CVE-2025-67807

The login mechanism of Sage DPW 202506004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 202106000. On-premise administrators can toggle this behaviour in newer versions...

CVE-2025-52576

Kanboard prior to version 1.2.46 is vulnerable to username enumeration and IP spoofing–based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can enumerate valid usernames and bypass rate-limiting or IP-based blocking mechanisms, increasing ...

CVE-2025-52576 Kanboard vulnerable to Username Enumeration via Login Behavior and Bruteforce Protection Bypass

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine vali...

Ensure That Warning Banners Contain Proper Information

Warning banners contain warning information added on the system login page. Security warnings are displayed for all users who log in to the system. The security warnings must include information about the organization to which the system belongs, monitoring or records of login behavior, and legal...

CVE-2024-24300

4ipnet EAP-767 v3.42.00 is vulnerable to Incorrect Access Control. The device uses the same set of credentials, regardless of how many times a user logs in, the content of the cookie remains unchanged...

A week in security (August 27 – September 2)

Last week, we looked at dubious antics in mobile land, a peculiar case of spam on the official Cardi B website, and we deep dived into fileless malware. We also explored the inner workings of Hidden Bee, and gave an explainer of Regex. Other cybersecurity news: Huge data breach affects Chinese...

Phishing Biggest Threat to Google Account Security

Last year may have been mostly about ransomware, but it’s difficult to forget the billion or so passwords that were spilled in high-profile breaches and credential leaks. Google and researchers from the University of California Berkeley attempted to ease some of that pain, and teamed up to analyz...

Different IE browser windows have different sessions and different session timeout timing

One of our user reported the following: ---- I discovered the reason why JIRA sometimes closes my IE session, it depends on the way you login: 1 When you login via navigation to your home page http://support/jira/secure/Dashboard.jspa all is ok, multiple JIRA sessions never expire. 2 When you log...

shadow.root.uid.65536.txt

Date: Mon, 24 May 1999 20:44:28 +0200 From: Lord Evil To: [email protected] Subject: UID 65536 and shadow-19990307 Recently one of our admins installed the shadow-19990307 package. While playing around I noticed that if a new user is created with UID 65536, he will become root upon login. No...