PT-2025-27493 · Unknown · Tiny-Secp256K1

Name of the Vulnerable Software and Affected Versions: tiny-secp256k1 versions prior to 1.1.7 Description: A malicious JSON-stringifyable message can be made to bypass the Buffer.isBuffer check, resulting in strange objects being accepted as a message. This can trick the verify function into...

DEBIAN-CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

CVE-2024-48949

CVE-2024-48949 concerns the Elliptic package for Node.js before 6.5.6. The vulnerability stems from the verify function in lib/elliptic/eddsa/index.js, which omits the validation sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg(), enabling acceptance of invalid signatures. IBM’s bulletin lists thi...

CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

GHSA-747X-5M58-MQ97 svix vulnerable to Authentication Bypass

Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of th...

Authentication flaw

Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of th...

Duplicate Advisory: Svix vulnerable to improper comparison of different-length signatures

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-747x-5m58-mq97. This link is maintained to preserve external references. Original Description The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be...

Improper comparison of different-length signatures

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification...

PT-2023-29488 · Git +3 · Base64Captcha +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue concerns the default implementation of a Verify function used to check a Captcha. Verification can be bypassed under certain conditions. For...

PT-2023-30740

Name of the Vulnerable Software and Affected Versions fast-jwt versions prior to 3.3.2 Description The fast-jwt library does not properly prevent JWT algorithm confusion for all public key types. The 'publicKeyPemMatcher' in 'fast-jwt/src/crypto.js' does not properly match all common PEM formats...

A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.

...

SUSE CVE-2009-0265

Internet Systems Consortium ISC BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVPVerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and...

Timing Attack

barzahlen/barzahlen-php is vulnerable to Timing Attacks. The vulnerability exists via the verify function in Webhook.php, which allows an attacker to gain timing information of the application, which can leads to Information Disclosure...

PT-2023-9407 · Php +10 · Php +10

Name of the Vulnerable Software and Affected Versions: PHP versions 8.0.0 through 8.0.27 PHP versions 8.1.0 through 8.1.15 PHP versions 8.2.0 through 8.2.2 Description: The issue is related to the password verification function in PHP, which may accept some invalid Blowfish hashes as valid. If su...

SQL Injection

Mingsoft MCMS are vulnerable to sql injection attacks. The vulnerability exists in verify function in PageAction.java because the validated function call is not properly handled allows an attacker to inject and execute arbitrary queries...

Allocation of Resources Without Limits or Throttling

Overview std/crypto/dsa is a Go standard library package std/crypto/dsa Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: via the Verify function. An attacker can cause excessive resource consumption and make affecte...

GO-2022-0166 Denial of service due to unchecked parameters in crypto/dsa

The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go...

Python RSA allows attackers to spoof signatures

The verify function in the RSA package for Python Python-RSA before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack...