Check CVE Id
Check CWE Id
QuantaStor Software Defined Storage < 4.3.1 Multiple Vulnerabilities
Nahuel D. Sanchez, VVV...
ProjectDox 8.1 XSS / User Enumeration / Ciphertext Reuse
CVEMAP Search Results
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 18.104.22.168 and earlier, and 22.214.171.124 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.
An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12).
An issue was discovered in Zammad 3.0 through 3.2. The Forgot Password functionality is implemented in a way that would enable an anonymous user to guess valid user emails. In the current implementation, the application responds differently depending on whether the input supplied was recognized as associated with a valid user. This behavior could be used as part of a two-stage automated attack. During the first stage, an attacker would iterate through a list of account names to determine which correspond to valid accounts. During the second stage, the attacker would use a list of common passwords to attempt to brute force credentials for accounts that were recognized by the system in the first stage.
webcalendar before 1.2.7 shows the reason for a failed login (e.g., "no such user").
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
Proxmox VE prior to 3.2: 'AccessControl.pm' User Enumeration Vulnerability
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.
GnuTLS incorrectly validates the first byte of padding in CBC modes
Back to Top