CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-10184
https://notcve.org/view.php?id=CVE-2020-10184
05 Mar 2020 — The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection. NOTE: this issue is potentially relevant to persons outside Yubico who operate a self-hosted OTP validation service; the issue does NOT affect YubiCloud. El endpoint verify en YubiKey Validation Server versiones anteriores a 2.40, no comprueba la longitud de consultas SQL, lo que permite a atacantes remotos causar una denegación... • https://github.com/Yubico/yubikey-val/releases/tag/yubikey-val-2.40 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 1CVE-2020-10185
https://notcve.org/view.php?id=CVE-2020-10185
05 Mar 2020 — The sync endpoint in YubiKey Validation Server before 2.40 allows remote attackers to replay an OTP. NOTE: this issue is potentially relevant to persons outside Yubico who operate a self-hosted OTP validation service with a non-default configuration such as an open sync pool; the issue does NOT affect YubiCloud. El endpoint sync en YubiKey Validation Server versiones anteriores a 2.40, permite a atacantes remotos reproducir una OTP. NOTA: este problema es potencialmente relevante para personas ajenas a Yubi... • https://github.com/Yubico/yubikey-val/releases/tag/yubikey-val-2.40 • CWE-294: Authentication Bypass by Capture-replay •