Inadequate Encryption Strength

Overview net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins. Affected versions of this package are vulnerable to Inadequate Encryption Strength in the PBKDF2 key derivation process. An attacker c...

CVE-2025-53960

When issuing JSON Web Tokens JWT, Apache StreamPark directly uses the user's password as the HMAC signing key e.g., with the HS256 algorithm. An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge...

EUVD-2025-203092

Apache StreamPark: Use the user’s password as the secret key Vulnerability...

CVE-2025-53960

When issuing JSON Web Tokens JWT, Apache StreamPark directly uses the user's password as the HMAC signing key e.g., with the HS256 algorithm. An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge...

PT-2025-6799 · Mobaxterm · Mobaxterm

Name of the Vulnerable Software and Affected Versions: MobaXterm versions prior to 25.0 Description: The issue exists in the password storage of MobaXterm, where it uses an initialization vector IV consisting only of zero bytes and a master key to encrypt each password individually. In the defaul...

mailman: CSRF token derived from admin password allows offline brute-force attack

Sensitive information is exposed to unprivileged users in mailman. The hash of the list admin password is used to derive the CSRF Cross-site Request Forgery token, which is exposed to unprivileged members of a list. Malicious members may use the CSRF token to perform an offline brute-force attack...