ZM Ajax Login & Register Security Vulnerabilities

openSUSE: Security Advisory for openssl (SUSE-SU-2024:2059-1)

The remote host is missing an update for...

openSUSE: Security Advisory for libaom (SUSE-SU-2024:2056-1)

The remote host is missing an update for...

SUSE: Security Advisory (SUSE-SU-2024:2081-1)

The remote host is missing an update for...

SUSE: Security Advisory (SUSE-SU-2024:2082-1)

The remote host is missing an update for...

openSUSE: Security Advisory for booth (SUSE-SU-2024:2040-1)

The remote host is missing an update for...

CVE-2024-36677

In the module "Login as customer PRO" (loginascustomerpro) <1.2.7 from Weblir for PrestaShop, a guest can access direct link to connect to each customer account of the Shop if the module is not installed OR if a secret accessible to administrator is...

SUSE: Security Advisory (SUSE-SU-2024:2050-1)

The remote host is missing an update for...

SUSE: Security Advisory (SUSE-SU-2024:2080-1)

The remote host is missing an update for...

Fedora: Security Advisory for ghostscript (FEDORA-2024-939eac36ae)

The remote host is missing an update for...

Fedora: Security Advisory for webkitgtk (FEDORA-2024-4d71f28349)

The remote host is missing an update for...

openSUSE: Security Advisory for booth (SUSE-SU-2024:2042-1)

The remote host is missing an update for...

Fedora: Security Advisory for python-authlib (FEDORA-2024-7cc9a030d9)

The remote host is missing an update for...

Moodle < 4.1.11, 4.2.x < 4.2.8, 4.3.x < 4.3.5, 4.4.x < 4.4.1 Multiple Vulnerabilities

Moodle is prone to multiple...

User Registration And Management System 3.2 SQL Injection

...

Ubuntu: Security Advisory (USN-6840-1)

The remote host is missing an update for...

openSUSE: Security Advisory for xdg (SUSE-SU-2024:2067-1)

The remote host is missing an update for...

openSUSE: Security Advisory for openssl (SUSE-SU-2024:2066-1)

The remote host is missing an update for...

openSUSE: Security Advisory for bouncycastle (SUSE-SU-2024:1539-2)

The remote host is missing an update for...

openSUSE: Security Advisory for python (SUSE-SU-2024:2064-1)

The remote host is missing an update for...

SUSE: Security Advisory (SUSE-SU-2024:2077-1)

The remote host is missing an update for...

SUSE: Security Advisory (SUSE-SU-2024:2065-1)

The remote host is missing an update for...

openSUSE: Security Advisory for php8 (SUSE-SU-2024:2039-1)

The remote host is missing an update for...

openSUSE: Security Advisory for openssl (SUSE-SU-2024:2051-1)

The remote host is missing an update for...

openSUSE: Security Advisory for podman (SUSE-SU-2024:2050-1)

The remote host is missing an update for...

Moodle uses the same key for QR login and auto-login

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the...

Moodle uses the same key for QR login and auto-login

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the...

CVE-2024-6129

A vulnerability, which was classified as problematic, was found in spa-cartcms 1.9.0.6. Affected is an unknown function of the file /login of the component Username Handler. The manipulation of the argument email leads to observable behavioral discrepancy. It is possible to launch the attack...

CVE-2024-6129

A vulnerability, which was classified as problematic, was found in spa-cartcms 1.9.0.6. Affected is an unknown function of the file /login of the component Username Handler. The manipulation of the argument email leads to observable behavioral discrepancy. It is possible to launch the attack...

CVE-2024-6129 spa-cartcms Username login observable behavioral discrepancy

A vulnerability, which was classified as problematic, was found in spa-cartcms 1.9.0.6. Affected is an unknown function of the file /login of the component Username Handler. The manipulation of the argument email leads to observable behavioral discrepancy. It is possible to launch the attack...

PocketBase performs password auth and OAuth2 unverified email linking

In order to be exploited you must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: - a malicious actor register with the targeted user's email (it is unverified) - at some later point in time the targeted user stumble on your app and decides to sign-up with.....

PocketBase performs password auth and OAuth2 unverified email linking

In order to be exploited you must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: - a malicious actor register with the targeted user's email (it is unverified) - at some later point in time the targeted user stumble on your app and decides to sign-up with.....

CVE-2024-38277

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the...

CVE-2024-38277

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the...

CVE-2024-38277 moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the...

CVE-2024-38277 moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the...

CVE-2024-38351

Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register...

CVE-2024-38351

Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register...

CVE-2024-38351 Password auth and OAuth2 unverified email linking

Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register...

Explained: Android overlays and how they are used to trick people

Sometimes you’ll see the term "overlays" used in articles about malware and you might wonder what they are. In this post we will try to explain what overlays—particularly on Android devices—are, and how cybercriminals deploy them. Most of the time, overlays are used to make people think they are...

43% of couples experience pressure to share logins and locations, Malwarebytes finds

All isn’t fair in love and romance today, as 43% of people in a committed relationship said they have felt pressured by their own partners to share logins, passcodes, and/or locations. A worrying 7% admitted that this type of pressure has included the threat of breaking up or the threat of...

CyberChef - The Cyber Swiss Army Knife - A Web App For Encryption, Encoding, Compression And Data Analysis

CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR and Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data,...

Analysis of user password strength

The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of...

XWiki < 4.10.20 - Remote code execution

XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have...

CVE-2024-6108

A vulnerability was found in Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05. It has been classified as problematic. Affected is an unknown function of the file /vood/cgi-bin/vood_view.cgi?act=index&lang=EN# of the component Login. The manipulation of the argument errmsg leads to basic cross...

CVE-2024-6108

A vulnerability was found in Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05. It has been classified as problematic. Affected is an unknown function of the file /vood/cgi-bin/vood_view.cgi?act=index&lang=EN# of the component Login. The manipulation of the argument errmsg leads to basic cross...

CVE-2024-6108 Genexis Tilgin Home Gateway Login cross site scripting

A vulnerability was found in Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05. It has been classified as problematic. Affected is an unknown function of the file /vood/cgi-bin/vood_view.cgi?act=index&lang=EN# of the component Login. The manipulation of the argument errmsg leads to basic cross...

CVE-2024-6108 Genexis Tilgin Home Gateway Login cross site scripting

A vulnerability was found in Genexis Tilgin Home Gateway 322_AS0500-03_05_13_05. It has been classified as problematic. Affected is an unknown function of the file /vood/cgi-bin/vood_view.cgi?act=index&lang=EN# of the component Login. The manipulation of the argument errmsg leads to basic cross...

CVE-2024-5860

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level....

CVE-2024-5860

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level....

CVE-2024-5860 Tickera <= 3.5.2.8 - Missing Authorization to Authenticated (Susbcriber+) Ticket Deletion

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level....