CVE-2020-4276

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984...

Privilege escalation

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984...

CVE-2020-4276

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984...

CVE-2020-4276

CVE-2020-4276 affects IBM WebSphere Application Server traditional (versions 7.0, 8.0, 8.5, 9.0). The vulnerability is a privilege escalation via token-based authentication in an admin request over the SOAP connector. IBM bulletins and related documents (X-Force ID 175984) assign CVSS v3 base sco...

PT-2020-12150 · Chadha · Phpkb Standard Multi-Language

Name of the Vulnerable Software and Affected Versions: Chadha PHPKB Standard Multi-Language version 9 Description: The issue allows attackers to add a new category via a crafted request, exploiting a CSRF weakness in the admin/add-category.php file. Recommendations: For version 9, consider...

The vulnerability in the TokenBasedRememberMeServices2.java component of the Jenkins automation server allows a malicious individual to gain unauthorized access to protected information.

The vulnerability of the TokenBasedRememberMeServices2.java component located at core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java in the Jenkins automation server is related to an incorrect session duration. Exploiting this vulnerability could allow a malicious actor, operati...

CVE-2019-12300

Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim...

PT-2019-2981 · Cloudbees +1 · Jenkins

Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.158 and earlier Jenkins LTS versions 2.150.1 and earlier Description: The issue is related to an improper authorization vulnerability in the TokenBasedRememberMeServices2.java component. This vulnerability allows attackers...

PT-2018-13565 · Yfcmf · Yfcmf

Name of the Vulnerable Software and Affected Versions: YFCMF version 3.0 Description: The issue allows for Cross-Site Request Forgery CSRF attacks, enabling an attacker to add an administrator account through the admin/admin/adminsave.html endpoint. Recommendations: For YFCMF version 3.0, conside...

Reddit Hacked – Emails, Passwords, Private Messages Stolen

Another day, another significant data breach. This time the victim is Reddit... seems someone is really pissed off with Reddit's account ban policy or bias moderators. Reddit social media network today announced that it suffered a security breach in June that exposed some of its users' data,...

Reddit Breach Stems from SMS Two-Factor Authentication Breakdown

Reddit confirmed Wednesday that a hacker broke into its systems and has accessed user data – including email addresses and passwords for accounts. The company said in a post today that the compromise occurred between June 14 and June 18, and it detected the incident on June 19. “We learned that a...

PT-2018-9819 · Wuzhi · Wuzhi Cms

Name of the Vulnerable Software and Affected Versions: WUZHI CMS version 4.1.0 Description: The issue allows for a CSRF attack to change the password of a common member. This is possible through the "index.php?m=member&v=pw reset" endpoint, which is vulnerable to such attacks. Recommendations: Fo...

Authentication Bypass Vulnerability Found in Auth0 Identity Platform

A critical authentication bypass vulnerability has been discovered in one of the biggest identity-as-a-service platform Auth0 that could have allowed a malicious attacker to access any portal or application, which are using Auth0 service for authentication. Auth0 offers token-based authentication...

REST API - Improved HTTP Authentication

h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is a simple resource that help administrators to perform operations that would take some time of their day to day activities in a couple seconds, instead of a couple minutes. I...

REST API - Improved HTTP Authentication

h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is a simple resource that help administrators to perform operations that would take some time of their day to day activities in a couple seconds, instead of a couple minutes. I...

FS Shaadi Clone - 'token' SQL Injection

Exploit Title: FS Shaadi Clone - SQL Injection Date: 2017-12-05 Exploit Author: Dan° Vendor Homepage: https://fortunescripts.com/ Software Link: https://fortunescripts.com/product/shaadi-clone/ Version: 2017-12-05 Tested on: Kali Linux 2.0 PoC: SQL Injection on GET parameter = token...

UBUNTU-CVE-2017-12867

The SimpleSAMLAuthTimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset...

Multiple Huawei Server Cross-Site Request Forgery Vulnerabilities

Huawei Tecal RH1288 V2 and others are servers from Huawei, a Chinese company. A cross-site request forgery vulnerability exists in several Huawei servers, which stems from the program's failure to use the Token mechanism for Web access control. A remote attacker could exploit this vulnerability t...

Security breach at OAuth based applications can cause Social Media Disaster

With all the popular social networking websites there on the web, managing them from several different internet browser tabs or windows can get frustrated very quickly. Besides our own Facebook Page, Twitter account, and Google+ profile, I also manage several others and, YES, I feel the "time...