16 matches found
Astra Linux - уязвимость в wpa
Implementations of EAP-pwd in hostapd before version 2.10 and wpasupplicant before version 2.10 are vulnerable to side-channel attacks due to cache access patterns. NOTE: This issue exists because of an incomplete fix for CVE-2019-9495...
CVE-2026-44679
CVE-2026-44679 affects Tuist. Before 1.180.10, the forgot-password flow allows an unauthenticated attacker to repeatedly trigger password-reset emails for a known account without server-side throttling, enabling potential email spamming and downstream resource consumption in self-hosted deploymen...
EUVD-2026-30485
Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes ...
CVE-2026-44679 Tuist: Forgot password flow lacks throttling for reset email delivery
Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes ...
EUVD-2026-28937
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to...
listmonk Admin Authentication / Password Flow Security Assessment Module
This Metasploit auxiliary module is a web application security testing tool designed to evaluate authentication and password management logic in a Listmonk admin panel deployment...
Totara LMS 19.1.5 Missing Rate Limiting
Totara LMS versions 19.1.5 and below have a forgot password flow that's missing rate limiting...
CVE-2019-25605
EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing us...
From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA
Not every cloud breach starts with malware or a zero-day. In this incident, attackers discovered an exposed Spring Boot Actuator endpoint, harvested credentials from leaked configuration data, then used the OAuth2 Resource Owner Password Credentials ROPC flow to authenticate without MFA...
PT-2025-42471
Name of the Vulnerable Software and Affected Versions Aggie version 2.6.1 Description A Host Header injection flaw exists in the forgot password functionality of the software. This allows an attacker to reset a user's password. The vulnerability is present in the handling of the Host header durin...
EUVD-2022-3804
Malicious code in bioql PyPI...
CVE-2025-36758
It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the 'Forgot Password' functionality as an oracle...
ipa: Invalid CSRF protection
A Cross-site request forgery vulnerability exists in ipa/session/loginpassword in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During...
MicroTalk App Has SMS Bombing Vulnerability
MicroTalk App is a calling software. MicroTalk APP has SMS bombing vulnerability. The attacker sends unlimited CAPTCHA to the cell phone by catching packets through the forget password function, consumes server resources, and carries out SMS bombing...
True Luck Driver Mobile App Has Logic Design Flaws
True Luck Driver Mobile App is a mobile application that helps truck drivers find work. There is a logical design vulnerability in the True Luck Driver mobile app. An attacker can log into any user account by using the forget password function to capture packet blasting to obtain the verification...
PCG Travel Android App Has Logic Design Flaws
PCG Travel Android APP is a B2B2C travel service platform. PCG Travel Android APP has a logical design vulnerability. After registering, an attacker can reset any account password by grabbing packets to bypass the CAPTCHA through the forgot password function...