Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-895x-rfqp-jh5c: Keycloak does not invalidate offline sessions when the offline_access scope is removed

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

ghsa
Open in Source
#vulnerability#auth
183 Million Synthient Stealer Credentials Added to Have I Been Pwned

Massive Synthient Stealer Log leak adds 183 million stolen usernames and passwords to Have I Been Pwned, exposing new victims worldwide.

GHSA-c5cj-xp43-qcc3: Moodle's error handling leads to sensitive information disclosure

An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

GHSA-422v-w6c5-vq42: Moodle exposed the names of hidden groups to users

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.

GHSA-25wf-7x6c-wmpf: Moodle does not properly enforce MFA

A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.

GHSA-m58f-9pvv-8mp2: Moodle vulnerable to brute-force password guesses

Moodle's mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.

GHSA-w29j-8phw-ffjf: Moodle has a time restriction bypass

An issue in Moodle's timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.

GHSA-rjcm-7v2p-9265: Moodle course access permissions are not properly checked in course_output_fragment_course_overview

A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.

GHSA-8fcv-4qp9-pg32: Moodle sends quiz-related messages to inactive/suspended users

Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.

ASKI Energy ALS-Mini-S8 and ALS-Mini-S4

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: ASKI Energy Equipment: ALS-Mini-S8, ALS-mini-s4 IP Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain full control over the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ASKI Energy products are affected: ALS-mini-s4 IP (serial number from 2000 to 5166): All versions ALS-mini-s8 IP (serial number from 2000 to 5166): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 Missing Authentication for Critical Function CWE-306 A critical severity missing authentication vulnerability exists in the embedded web server of the ALS-mini-S4/S8 IP controllers. There is a lack of authentication functionality. Specifically, an attacker can read and modify product configuration parameters without being authenticated. CVE-2025-9574 has been assigned to this vulnerability. A CVSS v3.1 ...