Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens

createWebhook in Vercel Workflow DevKit accepts a user-specified token parameter that serves as the credential for the public webhook endpoint /.well-known/workflow/v1/webhook/token. Official documentation recommended predictable token patterns, making it possible for an unauthenticated remote...

Malicious code in democratic_bovid_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b59ebd75724ecbda8df623e82211d716b6357e3c4525896430e014e93630a39 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2010-5048

Malware in sbrugna...

EUVD-2018-0518

Malware in sbrugna...

EUVD-2016-2333

Malware in sbrugna...

SUSE CVE-2025-40915

Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens. That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand function...

CVE-2023-2781

The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticateuserbyemail in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resendverificationemail function. This allows unauthenticated...

CVE-2019-10041

The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dirlogin.asp and use an API URL /goform/form2userconfig.cgi to edit the system account without authentication...

CVE-2010-5084

The cross-site request forgery CSRF protection mechanism in e107 before 0.7.23 uses a predictable random token based on the creation date of the administrator account, which allows remote attackers to hijack the authentication of administrators for requests that add new users via...

[SECURITY] Fedora 41 Update: perl-Crypt-URandom-Token-0.003-1.fc41

This module provides a secure way to generate a random token for passwords and similar using Crypt::URandom as the source of random bits...

CVE-2023-2781

The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticateuserbyemail in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resendverificationemail function. This allows unauthenticated...

Authentication flaw

The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticateuserbyemail in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resendverificationemail function. This allows unauthenticated...

CVE-2023-2781 User Email Verification for WooCommerce <= 3.5.0 - Authentication Bypass

The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticateuserbyemail in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resendverificationemail function. This allows unauthenticated...

SUSE CVE-2016-5100

Froxlor before 0.9.35 uses the PHP rand function for random number generation, which makes it easier for remote attackers to guess the password reset token by predicting a value...

CVE-2021-34646

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the processemailverification function due to a random token generation weakness in the resetandmailactivationlink function found in the...

Authentication flaw

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the processemailverification function due to a random token generation weakness in the resetandmailactivationlink function found in the...

Softwaremill Akka-http-session Cross-Site Request Forgery Vulnerability

Softwaremill Softwaremill Akka-http-session is a codebase for providing continuous JWT and continuous connection support for single page or mobile applications from Softwaremill, Poland. A security vulnerability exists in com.softwaremill.akka-http-session:core2.13, which stems from the fact that...

D-Link DIR-816 A2 Router Web or System Account Editing Vulnerability

The D-Link DIR-816 A2 is a wireless router from AUO D-Link of Taiwan, China. A security vulnerability exists in the D-Link DIR-816 A2 version 1.11, which stems from the program only checking for random tokens when authorizing a goform request. The vulnerability can be exploited to edit web and...

CVE-2017-16028

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG Math.random...

Design/Logic Flaw

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG Math.random...