Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-44949: glFusion CMS 1.7.9 user Login denied vulnerability · Issue #487 · glFusion/glfusion

glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php.

CVE
Open in Source
#vulnerability#web#ios#android#apple#google#git

Incidentally, it’s worth mentioning that the lockout is based on failed attempts from an IP address, not by user name. So the valid user could still log into the site. Unless they’re sharing a public IP with the attacker, of course.

On Thu, Dec 9, 2021 at 9:43 AM Lee Garner ***@***.***> wrote: Currently the full name (could be a nickname) is shown along with the username. I don’t think it would hurt to show only the fullname, if available, otherwise the user name. Creating a “nickname” field is interesting, but I suspect most users will leave it blank if allowed, or use their login names for it as well. On Thu, Dec 9, 2021 at 2:12 AM Topsec_bunney ***@***.***> wrote: > We can get username on this link: > > http://192.168.255.130/glfusion1.7.9/public_html/users.php?mode=profile&uid=3 > [image: firefox_fIwf2EDlUU] > https://user-images.githubusercontent.com/73220685/145376552-976aae00-0893-44b7-ac14-0c1e7de9233f.png\ > > So, attacker can get all username . > > Then they can always log in to all users with the wrong password, which > will prevent all users from logging in to the website normally. > > [image: firefox_LrrbnCvHFd] > https://user-images.githubusercontent.com/73220685/145376725-bde27dbe-c667-4ba4-8cf4-4b5f99998885.png\ > > There are two solutions: > > 1. > > set the verification code on the login page > 2. > > The second is to display the user’s nickname instead of the login name > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#487>, or unsubscribe > https://github.com/notifications/unsubscribe-auth/ABYLFOJM34JDJPZKT6FGA4TUQB6JPANCNFSM5JWB3F2Q\ > . > Triage notifications on the go with GitHub Mobile for iOS > https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\ > or Android > https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\. > >

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE