Monthly
MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authentication entirely by supplying the literal string 'webmin' as the HTTP User-Agent header, causing the server to accept basic authentication without requiring a session cookie or a second factor. The affected CPE covers all Webmin releases before 2.641, and the impact extends well beyond the low integrity score assigned by the official CVSS - Webmin is a full server administration panel, meaning successful authentication grants control over the underlying host. No public exploit code or CISA KEV listing has been identified at time of analysis; the issue was reported by CISA-CG and patched in the 2.641 release.
Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account password to disable TOTP or regenerate backup codes via the POST /users/totp/disable and POST /users/totp/backup-codes endpoints, completely neutralizing the second factor. The flaw stems from these MFA-critical endpoints accepting the account password as the sole authentication factor, meaning credential stuffing, phishing, or a leaked password hash (referenced as GHSA-xxxx) is sufficient to defeat 2FA. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. No known active exploitation or public proof-of-concept exists, but the issue has been acknowledged and patched by the vendor.
Cipace versions up to 9.17 contains a vulnerability that allows attackers to bypass a protection mechanism (CVSS 4.3).
A security vulnerability in An unauthenticated attacker may exploit a scenario where a (CVSS 8.1). High severity vulnerability requiring prompt remediation.
This vulnerability exists in Shilpi Client Dashboard due to implementation of inadequate authentication mechanism in the login module wherein access to any users account is granted with just their. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. No vendor patch available.
The Admin Classic Bundle provides a Backend UI for Pimcore. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.
In JetBrains TeamCity before 2023.05 authentication checks were missing - 2FA was not checked for some sensitive account actions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authentication entirely by supplying the literal string 'webmin' as the HTTP User-Agent header, causing the server to accept basic authentication without requiring a session cookie or a second factor. The affected CPE covers all Webmin releases before 2.641, and the impact extends well beyond the low integrity score assigned by the official CVSS - Webmin is a full server administration panel, meaning successful authentication grants control over the underlying host. No public exploit code or CISA KEV listing has been identified at time of analysis; the issue was reported by CISA-CG and patched in the 2.641 release.
Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account password to disable TOTP or regenerate backup codes via the POST /users/totp/disable and POST /users/totp/backup-codes endpoints, completely neutralizing the second factor. The flaw stems from these MFA-critical endpoints accepting the account password as the sole authentication factor, meaning credential stuffing, phishing, or a leaked password hash (referenced as GHSA-xxxx) is sufficient to defeat 2FA. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. No known active exploitation or public proof-of-concept exists, but the issue has been acknowledged and patched by the vendor.
Cipace versions up to 9.17 contains a vulnerability that allows attackers to bypass a protection mechanism (CVSS 4.3).
A security vulnerability in An unauthenticated attacker may exploit a scenario where a (CVSS 8.1). High severity vulnerability requiring prompt remediation.
This vulnerability exists in Shilpi Client Dashboard due to implementation of inadequate authentication mechanism in the login module wherein access to any users account is granted with just their. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. No vendor patch available.
The Admin Classic Bundle provides a Backend UI for Pimcore. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.
In JetBrains TeamCity before 2023.05 authentication checks were missing - 2FA was not checked for some sensitive account actions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.