Lucene search
K

1867 matches found

Github Security Blog
Github Security Blog
added 2026/04/30 8:44 p.m.7 views

Sentry's improper authentication on SAML SSO process allows user identity linking

Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry's private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the sa...

9.8CVSS5.7AI score0.00623EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/04/30 8:44 p.m.5 views

GHSA-RCMW-7MC7-3RJ7 Sentry's improper authentication on SAML SSO process allows user identity linking

Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry's private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the sa...

9.1CVSS5.8AI score0.00623EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/29 9:49 p.m.10 views

Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP

Summary A logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip th...

7.1CVSS5.4AI score0.00297EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/29 9:49 p.m.6 views

Incorrect Authorization

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Incorrect Authorization due to an inverted authorization check in the twofactorauthentication.php process. An attacker can remove...

7.1CVSS5.8AI score0.00297EPSS
Exploits0References2
OSV
OSV
added 2026/04/29 9:49 p.m.9 views

GHSA-RH3W-4CCX-PRF9 Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP

Summary A logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip th...

7.1CVSS5.8AI score0.00297EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/20 7:22 p.m.7 views

CVE-2026-40582

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...

9.1CVSS5.7AI score0.00502EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/17 9:25 p.m.5 views

Sentry: Improper authentication on SAML SSO process allows user identity linking

Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same...

9.1CVSS5.8AI score0.00435EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/17 9:25 p.m.7 views

GHSA-GGMG-CQG6-J45G Sentry: Improper authentication on SAML SSO process allows user identity linking

Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same...

9.1CVSS5.8AI score0.00435EPSS
Exploits0References4
NVD
NVD
added 2026/04/15 7:16 p.m.8 views

CVE-2026-33667

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...

7.4CVSS0.00296EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/15 6:43 p.m.4 views

CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...

7.4CVSS5.8AI score0.00296EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/15 6:43 p.m.21 views

CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...

7.4CVSS0.00296EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/15 6:43 p.m.8 views

EUVD-2026-23014

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...

7.4CVSS5.8AI score0.00296EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/15 6:43 p.m.5 views

CVE-2026-33667

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...

7.4CVSS5.8AI score0.00296EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/15 6:43 p.m.15 views

CVE-2026-33667

OpenProject contains a 2FA bypass in versions before 17.3.0 due to missing rate limiting/lockout on the confirm_otp step of two_factor_authentication. The 2FA verification path (OTP and backup code) does not increment failed-attempt counters or apply delays, while the TOTP window allows roughly f...

7.4CVSS5.8AI score0.00296EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.8 views

PT-2026-33118

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm otp action of the two factor authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute force block after failed logins...

7.4CVSS5.8AI score0.00296EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.8 views

OpenProject 安全漏洞

OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 17.3.0 had security vulnerabilities. These vulnerabilities stemmed from the two-factor authentication module’s confirmotp operation, where the 2FA OTP verification lacked rate limiting, a lockout...

7.4CVSS5.8AI score0.00296EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/14 3:38 p.m.27 views

CVE-2026-23708

A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA...

7.5CVSS0.00283EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/14 3:38 p.m.4 views

CVE-2026-23708

A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA...

7.5CVSS5.8AI score0.00283EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.7 views

PT-2026-32670

A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA...

7.5CVSS5.8AI score0.00283EPSS
Exploits0References3
Veracode
Veracode
added 2026/04/11 5:33 a.m.6 views

Authentication Bypass

ajenti.plugin.core is vulnerable to Authentication Bypass. The vulnerability is due to improper enforcement of password authentication when 2FA is enabled, which allows an attacker to bypass login controls and gain unauthorized access...

9.3CVSS5.8AI score0.00329EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder