6 matches found
CVE-2026-46386 OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal`
OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic...
Authentication Bypass
Overview Affected versions of this package are vulnerable to Authentication Bypass when a password's salt is unknown. If the secret key base variable is somehow leaked, an attacker can become any user by misusing the masquerade back functionality of this Devise extension, something that is not...
GitLab File Read Remote Code Execution
This module provides remote code execution against GitLab Community Edition CE and Enterprise Edition EE. It combines an arbitrary file read to extract the Rails "secretkeybase", and gains remote code execution with a deserialization vulnerability of a signed 'experimentationsubjectid' cookie tha...
GitLab: information disclosure of secret_key_base via encoding charcters
@pareshparmar discovered an error page that was disclosing the value of the secretkeybase key of customers.gitlab.com to unauthenticated users, which would have allowed an attacker to arbitrarily decrypt signed cookies. So I was fuzzing one parameter with different type of encodings. And one...
Metasploit secret_key_base deserialization vulnerability
Metasploit is an open source security vulnerability detection tool that helps security and IT professionals identify security issues, validate mitigations for vulnerabilities, and manage expert-driven security for assessments that provide true security risk intelligence. A deserialization...
Metasploit exposure remote code execution vulnerability: don't mess with me, I mad up my own all black-and-vulnerability warning-the black bar safety net
Just this week, Rapid7 community to publish two on the Metasploit framework security patches, by these two vulnerabilities, an attacker can remote unauthorized execution of arbitrary code. Currently, security researchers have issued the relevant POC attack code. ! Vulnerability: Metasploit Web...