PT-2026-52217

Discover critical Gitea security flaws exposing servers to account takeovers and SSRF attacks. Read about CVE-2026-20896 and CVE-2026-22874 patches today. Gitea Cybersecurity CVE202620896 CVE202622874 Vulnerability https://t.co/nCAKq1ZLGW https://t.co/FB9mdQykMY...

OneUptime 安全漏洞

OneUptime is a comprehensive solution developed by OneUptime OpenSource. It is used to monitor and manage your online services. Versions of OneUptime prior to 10.0.21 contained security vulnerabilities. These vulnerabilities stemmed from bypasses in authorization and tenant isolation, which could...

chartbrew 代码问题漏洞

Chartbrew is an open-source data visualization and dashboard-building tool developed by Chartbrew. Versions of Chartbrew prior to 4.8.4 contained code vulnerabilities. These vulnerabilities stemmed from allowing the upload of files without verifying their types or content. This could lead to the...

Is Your Android TV Streaming Box Part of a Botnet?

On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix , ESPN and Hulu , all for a one-time fee of around $400. But security experts...

Our plan for a more secure npm supply chain

Open source software is the bedrock of the modern software industry. Its collaborative nature and vast ecosystem empower developers worldwide, driving efficiency and progress at an unprecedented scale. This scale also presents unique vulnerabilities that are continually tested and under attack by...

Lawsuit About WhatsApp Security

Attaullah Baig, WhatsApp's former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. The lawsuit, alleging violations of the whistleblower...

PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks

The maintainers of the Python Package Index PyPI repository have announced that the package manager now checks for expired domains to prevent supply chain attacks. "These changes improve PyPI's overall account security posture, making it harder for attackers to exploit expired domain names to gai...

Multiple Advantech products have unspecified vulnerabilities

Advantech WISE-4060LAN is an industrial automation controller from Advantech, Taiwan, China. A security vulnerability exists in multiple Advantech products, which can be exploited by attackers to cause brute force exploits and account takeovers...

nOAuth Vulnerability Still Affects 9% of Microsoft Entra SaaS Apps Two Years After Discovery

New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID, potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service SaaS applications. Identity security company Semperis, in an analysis of 104 SaaS applications,...

Billions of logins for Apple, Google, Facebook, Telegram, and more found exposed online

When organizations, good or bad, start hoarding collections of login credentials the numbers quickly add up. Take the 184 million logins for social media accounts we reported about recently. Now try to imagine 16 billion! Researchers at Cybernews have discovered 30 exposed datasets containing fro...

Boelter Blue System Management 1.3 - SQL Injection Vulnerability

Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management version 1.3 Google Dork: inurl:"Powered by Boelter Blue" Exploit Author: CBKB DeadlyData, R4d1x Vendor Homepage: https://www.boelterblue.com Software Link:...

Boelter Blue System Management 1.3 - SQL Injection

Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management version 1.3 Google Dork: inurl:"Powered by Boelter Blue" Date: 2024-06-04 Exploit Author: CBKB DeadlyData, R4d1x Vendor Homepage: https://www.boelterblue.com Software Link:...

GitLab warns zero-click vulnerability could lead to account takeovers

GitLab has issued a warning about a critical vulnerability in GitLab Community Edition CE and Enterprise Edition EE. GitLab is an online DevOps platform that allows developers to collaborate on creating software. Organizations have a choice to install GitLab on their own servers or under GitLab’s...

Rocky Linux 8 : grafana (RLSA-2022:5717)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:5717 advisory. - Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious use...

Conquering Adversarial Bots and Humans to Prevent Account Takeovers

...

Genesis Market No Longer Feeds The Evil Cookie Monster

Genesis Market No Longer Feeds The Evil Cookie Monster By John Fokker, Ernesto Fernández Provecho and Max Kersten · April 05, 2023 We would like to thank Steen Pedersen and Mo Cashman for their remediation advice. On the 4th and the 5th of April, a law enforcement taskforce spanning agencies acro...

A week in security (March 27 - April 2)

Last week on Malwarebytes Labs: Solving the passwords hardest problem with passkeys, featuring Anna Pobletts Food giant Dole reveals more about ransomware attack Bogus Chat GPT extension takes over Facebook accounts Ransomware gunning for transport sector's OT systems next GitHub accidentally...

Reflected XSS in Gotify's /docs via import of outdated Swagger UI

Impact Gotify exposes an outdated instance of the Swagger UI API documentation frontend at /docs which is susceptible to reflected XSS attacks when loading external Swagger config files. Specifically, the DOMPurify version included with this version of Swagger UI is vulnerable to a rendering XSS...

U.S. Dept Of Defense: IDOR when editing email leads to Mass Full ATOs (Account Takeovers) without user interaction on https://██████/

Dear DoD team, I found one critical bug on your domain: https://██████/ It's IDOR. Also this domain is from Hack US program. What is that IDOR? Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access...

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victims funds via Zelle, a "peer-to-peer" P2P payment service used by many financial institutions that allows customers to quickly send cash to friends and family. Naturally, a great deal of phishing...