16 matches found
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect through the redirecturi parameter in multiple endpoints ForgotPassword, MagicLinkLogin, Signup, InviteMembers, OAuthLoginHandler, VerifyEmailHandler which is not validated against AllowedOrigins. An attacker can obtain...
GO-2026-4888 Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet
Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
PT-2026-29935
Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
Grav is vulnerable to Arbitrary File Read
Summary - A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. - This includes Grav user account files - /grav/user/accounts/.yaml. This file stores hashed user password, 2FA secret, and the password reset token. - This can allow an adversar...
EUVD-2021-26275
Malware in sbrugna...
EUVD-2012-0015
Malware in sbrugna...
EUVD-2023-2598
Malicious code in bioql PyPI...
CVE-2023-36472
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can't be...
CVE-2021-39919
In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure...
CVE-2012-5618
Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens...
Design/Logic Flaw
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can't be...
CVE-2023-36472 Strapi may leak sensitive user information, user reset password, tokens via content-manager views
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The /content-manager/relations route does not remove private fields or ensure that they can't be...
Design/Logic Flaw
Account Takeover :: when see the info i can see the hash pass i can creaked it ............... Account Takeover :: when see the info i can see the forgotpasswordtoken the hacker can send the request and changed the pass...
PT-2022-22085 · Git +1 · Tooljet +1
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue allows for account takeover. When an attacker gains access to certain information, they can see the hashed password, which can potentially be...
Default credentials
Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens...
CVE-2012-5618
CVE-2012-5618 affects Ushahidi prior to 2.6.1, where forgot-password tokens use insufficient entropy. This vulnerability could allow token guessing and account compromise with network access. Upgrade to Ushahidi 2.6.1 or later as the implied fix; the connected documents do not provide further exp...