Lucene search
+L

898 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.11 views

CVE-2026-10611

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.requireotp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticat...

10CVSS5.5AI score0.00353EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-33667

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...

7.4CVSS5.4AI score0.00296EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:16 p.m.9 views

CVE-2026-42514

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target...

8.8CVSS5.6AI score0.00227EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 6:48 p.m.14 views

CVE-2024-0391

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage...

5.3CVSS5.5AI score0.00184EPSS
Exploits0References1
OSV
OSV
added 2026/06/05 6:5 p.m.4 views

CVE-2026-45749 Termix's TOTP two-factor authentication can be disabled or bypassed using only the account password

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The POST /users/totp/disable and POST /users/totp/backup-codes endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical...

8.1CVSS6AI score0.00324EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/05 12:0 a.m.24 views

PT-2026-46987

Name of the Vulnerable Software and Affected Versions Omni affected versions not specified Description A TOCTOU Time-of-Check to Time-of-Use race condition exists in the SAML.getSession function within internal/pkg/auth/interceptor/saml.go. The system checks the Used flag of a SAMLAssertion...

7CVSS5.8AI score0.00018EPSS
Exploits0References6
OSV
OSV
added 2026/06/04 6:47 p.m.10 views

GHSA-9392-PJ54-QQF8 WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint

Summary plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance without...

7.1CVSS5.9AI score0.0012EPSS
Exploits1References4
NVD
NVD
added 2026/06/02 2:16 p.m.24 views

CVE-2026-10611

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.requireotp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticat...

10CVSS0.00353EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/02 12:48 p.m.7 views

CVE-2026-10611

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.requireotp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticat...

8.2CVSS5.8AI score0.00353EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/02 12:48 p.m.11 views

CVE-2026-10611 OTP bypass via plugin-based LDAP authentication in MISP when LDAP mixed authentication is enabled

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.requireotp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticat...

8.2CVSS5.8AI score0.00353EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/02 12:48 p.m.43 views

CVE-2026-10611 OTP bypass via plugin-based LDAP authentication in MISP when LDAP mixed authentication is enabled

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.requireotp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticat...

8.2CVSS0.00353EPSS
Exploits0References1
OSV
OSV
added 2026/06/02 12:48 p.m.4 views

CVE-2026-10611 OTP bypass via plugin-based LDAP authentication in MISP when LDAP mixed authentication is enabled

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.requireotp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticat...

8.2CVSS6AI score0.00353EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/02 6:0 a.m.16 views

CVE-2026-8293 Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email...

5.8AI score0.00236EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/02 6:0 a.m.15 views

CVE-2026-8293

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email...

7.5CVSS5.8AI score0.00236EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.9 views

MISP 安全漏洞

MISP is a set of open-source software solutions developed by MISP. This product is used for collecting, storing, distributing, and sharing network security metrics. It also includes features such as analysis of threats to network security and malware analysis. MISP has a security vulnerability th...

10CVSS5.4AI score0.00353EPSS
Exploits0References1
Friends Of PHP
Friends Of PHP
added 2026/05/31 9:6 a.m.8 views

Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation

Summary The digits parameter parsed from a provisioning URI is validated only with a lower bound $value 0 and has no upper bound src/OTP.php:353-357. OTP generation computes $code % 10 $this-getDigits src/OTP.php:283. When digits is large enough that 10 digits overflows PHP's integer range and th...

5.4AI score
Exploits0Affected Software1
NVD
NVD
added 2026/05/29 8:16 a.m.19 views

CVE-2026-3655

The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...

9.8CVSS0.00492EPSS
Exploits0References6
OSV
OSV
added 2026/05/29 12:0 a.m.10 views

MAL-2026-5045 Malicious code in @t-in-one/safe_local_storage_token (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

5.8AI score
Exploits0References2
CVE
CVE
added 2026/05/27 8:6 p.m.21 views

CVE-2026-47272

pam_usb for Linux allows local authentication bypass before version 0.9.0 due to pusb_pad_compare() only checking the user-side pad (~/.pamusb/device.pad) and not requiring the system-side pad on the USB device to be present. A local user can delete or obscure their own device.pad to bypass the U...

7.1CVSS5.9AI score0.00119EPSS
Exploits0References1
NVD
NVD
added 2026/05/27 11:16 a.m.23 views

CVE-2026-42731

Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through = 5.4.9...

9.8CVSS0.00321EPSS
Exploits0References1
Rows per page
Query Builder