Lucene search
K

7 matches found

Huntr
Huntr
added 2022/09/04 1:17 p.m.16 views

Multiple user accounts via same email and username

Description Nakama console does not validate uppercase/lowercase letters when creating a new user. This can be abused to create multiple user accounts with same email and username. Proof of Concept HTTP Request 1 request POST /v2/console/user HTTP/1.1 Host: 192.168.1.16:7351 Authorization: Bearer...

7AI score
Exploits0
Huntr
Huntr
added 2022/08/23 1:34 p.m.10 views

Insufficient Session Expiration

Description The Nakama Console session is not invalidated when the user is deleted. Proof of Concept Steps to reproduce: 1. Log in to the Nakama Console as admin and create a user [email protected] 2. In a separate browser or private window log in to the account [email protected] 3. In the admin session,...

1AI score
Exploits0References1
Huntr
Huntr
added 2022/08/23 12:59 p.m.17 views

User Enumeration via Response Timing

Description There is a significant timing difference in the login functionality of the Nakama Console for valid and invalid email addresses or usernames. Proof of Concept 1. Login to the Nakama Console as admin and create a User [email protected] 2. Logout 3. Attempt a Login with an incorrect passwor...

0.1AI score
Exploits0References1
Github Security Blog
Github Security Blog
added 2022/07/06 12:0 a.m.26 views

Improper Restriction of Excessive Authentication Attempts

Nakama Console does not enforce any limit for the number of unsuccessful login attempts...

9.8CVSS3AI score0.01468EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2022/07/06 12:0 a.m.17 views

GHSA-8R94-4H3C-939F Improper Restriction of Excessive Authentication Attempts

Nakama Console does not enforce any limit for the number of unsuccessful login attempts...

9.8CVSS9.5AI score0.01468EPSS
Exploits1References5
Huntr
Huntr
added 2022/05/24 11:0 a.m.7 views

User Account Deletion and more via Clickjacking

Description As nakama console is not restricted from being loaded in an iframe, clickjacking attack is possible. Proof of Concept 1. Login to nakama console. 2. Save the following as an .html file and open it in the browser to see that the page loads into an iframe. html :"...

1.2AI score
Exploits0
Huntr
Huntr
added 2022/05/24 9:52 a.m.29 views

No Protection against Bruteforce attacks on Login page

Description Nakama Console does not have any limit for the number of unsuccessful login attempts in a very short period of time. Proof of Concept 1. Send a login request. 2. Capture the login request 3. Replay the login request with different password value. HTTP request http POST...

5CVSS8.7AI score0.01468EPSS
Exploits1
Rows per page
Query Builder