Lucene search
K

55 matches found

OSV
OSV
added 2026/05/05 8:30 p.m.3 views

GHSA-JPQ4-7FMQ-Q5FJ parse-server: MFA SMS one-time password accepted twice under concurrent login

Impact A race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the...

2.1CVSS5.7AI score0.00236EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/05 8:30 p.m.12 views

parse-server: MFA SMS one-time password accepted twice under concurrent login

Impact A race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the...

5.9CVSS5.7AI score0.00236EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.14 views

PT-2026-37307

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.76 Parse Server versions prior to 9.9.0-alpha.2 Description A race condition exists in the MFA SMS one-time password OTP login path. This allows two concurrent requests to the '/login' endpoint using the same...

2.1CVSS5.9AI score0.00236EPSS
Exploits0References7
OSV
OSV
added 2026/03/29 3:23 p.m.5 views

GHSA-W73W-G5XW-RWHF Parse Server has an MFA single-use token bypass via concurrent authData login requests

Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery cod...

2.1CVSS5.9AI score0.00311EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/03/29 3:23 p.m.5 views

Parse Server has an MFA single-use token bypass via concurrent authData login requests

Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery cod...

4.4CVSS5.9AI score0.00311EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/29 12:0 a.m.7 views

PT-2026-28613

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.64 Parse Server versions prior to 9.7.0-alpha.8 Description Parse Server is an open source backend deployable on Node.js infrastructure. An attacker with a valid authentication provider token and a single MFA...

4.4CVSS5.9AI score0.00311EPSS
Exploits0References12
Github Security Blog
Github Security Blog
added 2026/03/24 7:48 p.m.12 views

Parse Server: MFA recovery code single-use bypass via concurrent requests

Impact An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and...

2.7CVSS5.9AI score0.00175EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/03/24 7:48 p.m.4 views

GHSA-2299-GHJR-6VJP Parse Server: MFA recovery code single-use bypass via concurrent requests

Impact An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and...

2.1CVSS5.9AI score0.00175EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.5 views

PT-2026-24478

Name of the Vulnerable Software and Affected Versions Sylius versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3 and above Description Sylius, an Open Source eCommerce Framework on Symfony, contains a Time-of-Check To Time-of-Use TOCTOU race condition in the...

8.2CVSS5.8AI score0.00179EPSS
Exploits0References7
OSV
OSV
added 2026/03/02 10:9 p.m.3 views

GHSA-8986-V76Q-8VR2 @keep-network/tbtc-v2 revealing P2PKH deposit with a wrapped P2SH script

Overview P2PKH has 20 bytes just like P2SH. We protect against revealing P2PKH deposits by manually assembling the expected P2SH script in the smart contract and comparing hashes. However, we missed the case when the attacker embeds a valid P2SH inside of P2PKH as an output script. bitcoin-spv...

7.5CVSS6AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/11 10:56 p.m.2 views

Malicious code in optimistic_jay_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3956099d3dde09c9dc38e1e9ed7643015d9ebc27370284672671666f28afcf71 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/11 10:56 p.m.2 views

Malicious code in optimistic_swordtail_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 21adde43d7fcb3b38a2a8902ab2e7efefd5e5f99b9491a79cbfb6d93c867cc19 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
EUVD
EUVD
added 2025/11/11 8:46 p.m.2 views

EUVD-2025-103138

Malicious code in optimisticcarpz3n npm...

6.6AI score
Exploits0
OSV
OSV
added 2025/11/11 8:46 p.m.0 views

MAL-2025-129269 Malicious code in optimistic_koi_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c14425091869521e16f1bd31e2de3da189f8efae3c0ac6d762fdac2e0327e46 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
EUVD
EUVD
added 2025/11/11 8:46 p.m.3 views

EUVD-2025-103135

Malicious code in optimisticwolverinez3n npm...

6.6AI score
Exploits0
EUVD
EUVD
added 2025/11/11 3:19 p.m.2 views

EUVD-2025-89573

Malicious code in optimisticchipmunkz3n npm...

6.6AI score
Exploits0
EUVD
EUVD
added 2025/11/11 7:47 a.m.2 views

EUVD-2025-74400

Malicious code in optimisticcephalopodemerald-83 npm...

6.6AI score
Exploits0
OSV
OSV
added 2025/11/11 7:47 a.m.0 views

MAL-2025-112152 Malicious code in optimistic_cephalopod_emerald-83 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0169e6ecd28c1f903c29cd4040fad0c900f5839bc65f5651f2769418846c826 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
EUVD
EUVD
added 2025/11/11 7:47 a.m.0 views

EUVD-2025-74399

Malicious code in optimisticshrewmagenta-83 npm...

6.6AI score
Exploits0
OSV
OSV
added 2025/11/11 7:44 a.m.4 views

MAL-2025-106760 Malicious code in optimistic_turtle-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8308caa8444d2c1b1e847c7bd440c224e1e1b9b3f632b0dc38a8abdb941d7265 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
Rows per page
Query Builder