GHSA-4F53-XH3V-G8X4 Keycloak secondary factor bypass in step-up authentication

Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication...

PT-2024-12538 · Red Hat · Keycloak

Name of the Vulnerable Software and Affected Versions: Keycloak affected versions not specified Description: A flaw was found in the client step-up authentication mechanism, where it does not correctly validate authentication. This allows a remote user authenticated with a password to register a...

keycloak: secondary factor bypass in step-up authentication

A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication...

keycloak: secondary factor bypass in step-up authentication

A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication...

Red Hat Keycloak 授权问题漏洞

Red Hat Keycloak is a suite of software from Red Hat, Inc. that provides authentication and management capabilities for modern applications and services. An authorization issue vulnerability exists in Red Hat Keycloak that stems from an inability to perform proper authentication. An attacker coul...

Nextcloud: Ability to by-pass second factor

The advisory described a vulnerability that allowed bypassing the second factor authentication in Nextcloud. The vulnerability was addressed in a security update...

CVE-2024-24771

Open Forms allows users create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers who have their credentials username + password compromised could potentially have the second-factor authentication...

PT-2024-20549 · Unknown · Open Forms

Name of the Vulnerable Software and Affected Versions: Open Forms versions prior to 2.2.9 Open Forms versions prior to 2.3.7 Open Forms versions prior to 2.4.5 Open Forms versions prior to 2.5.2 Description: Open Forms allows users to create and publish smart forms. The software contains a...

DRUPAL-CONTRIB-2024-003

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled. This vulnerability is mitigated by the fact that a...

Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled. This vulnerability is mitigated by the fact that a...

CVE-2023-39231

PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's...

CVE-2023-39231 PingFederate PingOne MFA IK Device Pairing Second Factor Authentication Bypass

PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's...

CVE-2023-37268

Warpgate is an SSH, HTTPS and MySQL bastion host for Linux that doesn't need special client apps. When logging in as a user with SSO enabled an attacker may authenticate as an other user. Any user account which does not have a second factor enabled could be compromised. This issue has been...

Authentication flaw

Warpgate is an SSH, HTTPS and MySQL bastion host for Linux that doesn't need special client apps. When logging in as a user with SSO enabled an attacker may authenticate as an other user. Any user account which does not have a second factor enabled could be compromised. This issue has been...

CVE-2023-37268 User login confusion with SSO in warpgate

Warpgate is an SSH, HTTPS and MySQL bastion host for Linux that doesn't need special client apps. When logging in as a user with SSO enabled an attacker may authenticate as an other user. Any user account which does not have a second factor enabled could be compromised. This issue has been...

PT-2023-25871 · Warpgate · Warpgate

Name of the Vulnerable Software and Affected Versions: Warpgate versions prior to 0.7.3 Description: Warpgate is an SSH, HTTPS, and MySQL bastion host for Linux that does not require special client apps. An issue exists where an attacker may authenticate as another user when logging in as a user...

DRUPAL-CONTRIB-2023-030

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential. This vulnerability is mitigated ...

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential. This vulnerability is mitigated ...

Cisco Duo 安全漏洞

Cisco Duo is a fully managed solution from Cisco, Inc. Provides secure access to your applications and data. An authentication error vulnerability exists in Cisco Duo Two-Factor Authentication, which arises from incorrectly handling responses from Cisco Duo when the application is configured to...

CVE-2023-35866

In KeePassXC through 2.7.5, a local attacker can make changes to the Database security settings, including master password and second-factor authentication, within an authenticated KeePassXC Database session, without the need to authenticate these changes by entering the password and/or...