Lucene search
K

5 matches found

OSV
OSV
added 2026/05/06 5:1 p.m.7 views

GHSA-Q4W7-56HR-83RM Nginx-UI Settings API Exposes Protected Secrets

Summary The GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes via ProtectedFill in SaveSettings and is...

6.5CVSS5.8AI score0.00295EPSS
Exploits1References4
OSV
OSV
added 2023/07/25 10:53 p.m.6 views

GO-2023-1914 Brute-force of token secrets in github.com/superfly/tokenizer

Brute-force of token secrets in github.com/superfly/tokenizer...

7.1AI score
Exploits0References3
OSV
OSV
added 2023/07/17 8:57 p.m.6 views

CVE-2023-37266 Weak json web token (JWT) secrets in CasaOS

CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit 705bf1f...

9.8CVSS7.7AI score0.05871EPSS
Exploits1References5
Veracode
Veracode
added 2023/07/14 6:48 a.m.13 views

Brute Force Token Secrets

superfly/tokenizer is vulnerable to brute-force of token secrets vulnerability. The vulnerability is due to not restricting formatting in fmt parameter to simple formatting and allowing fmt/dst parameters to be specified at request time leading to attacker brute forcing secret values using...

6.7AI score
Exploits0
OSV
OSV
added 2023/07/13 7:56 p.m.19 views

GHSA-F28G-86HC-823Q Tokenizer vulnerable to client brute-force of token secrets

Impact Authorized clients, having an injectprocessor secret, could brute-force the secret token value by abusing the fmt parameter to the Proxy-Tokenizer header. Patches This was fixed in https://github.com/superfly/tokenizer/pull/8 and further mitigated in...

7AI score
Exploits0References4
Rows per page
Query Builder