PT-2025-51839

Name of the Vulnerable Software and Affected Versions Entrinsik Informer version 5.10.1 Description A malicious user can enumerate usernames through local user login. This is achieved by entering an OTP code and a new password, then analyzing the application's responses. Recommendations At the...

EUVD-2021-15056

Malware in sbrugna...

MAL-2025-41871 Malicious code in @espace-client-axafr/otp-code (npm)

The package communicates with a domain associated with malicious activity...

Malicious code in @espace-client-axafr/otp-code (npm)

The package communicates with a domain associated with malicious activity...

CVE-2023-2706

The OTP Login Woocommerce & Gravity Forms plugin for WordPress is vulnerable to authentication bypass. This is due to the fact that when generating OTP codes for users to use in order to login via phone number, the plugin returns these codes in an AJAX response. This makes it possible for...

CVE-2025-3844

The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handelajaxreq function not having proper restrictions on the changeusermeta functionality that makes it possible to set a OTP code and subsequently log in...

PT-2025-19906 · Peprodev · Peprodev Ultimate Profile Solutions

Name of the Vulnerable Software and Affected Versions: PeproDev Ultimate Profile Solutions versions 1.9.1 through 7.5.2 Description: The issue is related to the lack of proper authentication in the handel ajax req function, specifically with the change user meta functionality. This allows attacke...

CVE-2024-13553

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it...

Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds default. Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passco...

MTN Group: Yet Another OTP code Leaked in the API Response

The OTP code was leaked in the API response, which compromised the purpose of its implementation. The application requested a phone number for authentication and sent an OTP code to the user, but the OTP was returned in the API response, exposing it to potential misuse...

MTN Group: OTP code Leaked in API Response

The application allowed users to sign up for device insurance. When getting a quote, an OTP code was sent to the user's phone number for authentication, but the same OTP code was also returned in the API response...

Unable to enter multi-factor authentication with Citrix DaaS Remote PowerShell SDK

After installing and running the Virtual Apps and Desktops Remote PowerShell SDK, explicit authentication is required using the Get-XdAuthentication cmdlet. After entering the username and password, multi-factor authentication dialog is displayed,but the 6-digit OTP code input items are not...

MTN Group: No rate limit in OTP code sending

The submission describes a vulnerability in the OTP One-Time Password code sending functionality of the MTN Play website. The vulnerability allows an attacker to send an unlimited number of OTP codes without any rate limiting, potentially flooding the victim's mobile inbox. The vulnerability was...

CVE-2021-28373

The authinternal plugin in Tiny Tiny RSS aka tt-rss before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in...

CVE-2021-28373

The authinternal plugin in Tiny Tiny RSS aka tt-rss before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in...

CVE-2021-28373

The vulnerability CVE-2021-28373 affects Tiny Tiny RSS (tt-rss) via the auth_internal plugin. The root issue allows an attacker to log in using an OTP code without a valid password, as reported for TT-RSS prior to 2021-03-12. The condition occurred on the git master branch for a short period; pro...

MTN Group: No rate limit in otp code sending

Summary: There is no rate limit in sendind otp code. Thus, attacker can use this vulnerability to bomb out the mobile inbox of the victim. Steps To Reproduce: Step 1. Open burp suite, and click on "Intercept is on " button from Proxy tab. Step 2. Launch browser and visit https://mtnonline.com/nim...

MTN Group: Account Take over of millions of MTN users account due to lack of Rate limiting when sending OTP code

I attached a PDF document to this report which explained the vulnerability in full details and I also attached a link to the POC video in the document. Impact Account take over of about any MTN user account...

Cross site request forgery (csrf)

Citrix ShareFile before 19.12 allows User Enumeration. It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required...

CVE-2019-7217

Citrix ShareFile before 19.12 allows User Enumeration. It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required...