AVideo has Plaintext Video Password Storage

Summary AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database via SQL injection, a database backup, or misconfigured access...

GHSA-363V-5RH8-23WG AVideo has Plaintext Video Password Storage

Summary AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database via SQL injection, a database backup, or misconfigured access...

Vikunja has TOTP Reuse During Validity Window

Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window...

A week in security (March 9 – March 15)

Last week on Malwarebytes Labs: Watch out for fake Malwarebytes renewal notices in your calendar Google patches two Chrome zero-days under active attack. Update now Attackers impersonate Temu in ClickFix $Temu airdrop scam Apple patches Coruna exploit kit flaws for older iOS versions This Android...

GHSA-MPP2-X7WV-38HV NocoDB has Plaintext Storage of Shared View Passwords

Summary Shared view passwords were stored in plaintext in the database and compared using direct string equality. Details The password column in ncviews stored unhashed passwords. Verification used !== comparison across public-datas.service.ts, public-metas.service.ts, and...

CVE-2025-14295

Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability CWE-257 in the Web session management component allows an attacker to access stored passwords in a recoverable format whi...

CVE-2025-14295 Automated Logic WebCTRL and Carrier i-Vu Session Fixation

Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability CWE-257 in the Web session management component allows an attacker to access stored passwords in a recoverable format whi...

i-Vu and Carrier Automated Logic WebCTRL security vulnerabilities

Carrier i-Vu and Carrier Automated Logic WebCTRL are both products of the American company Carrier. Carrier i-Vu is a building management system platform. Carrier Automated Logic WebCTRL is a building automation system. There are security vulnerabilities in versions 6.0 to 9.0 of Carrier i-Vu and...

AWS VDP: Password Reuse Vulnerability on AWS Sign-in Page via Password Reset Flow leads to Security Policy Violation

Asset URL: ██████ Summary: The AWS sign-in page allows users to reuse old passwords when resetting their password, which violates security best practices outlined in OWASP Authentication Cheat Sheet and NIST 800-63B Digital Identity Guidelines. This misconfiguration could potentially weaken accou...

EUVD-2026-1040

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This...

Pterodactyl 安全漏洞

Pterodactyl is an open source game server administration panel built using PHP, Nodejs and Go. A security vulnerability exists in Pterodactyl version 1.11.11 and earlier, which stems from the fact that a one-time password can be used multiple times during its expiration date, potentially leading ...

Improper Authentication

com.liferay, com.liferay.multi.factor.authentication.timebased.otp.web is vulnerable to improper authentication. The vulnerability is due to the reuse of time-based one-time passwords TOTP within their validity period, which allows an attacker with access to a user’s TOTP to authenticate as that...

EUVD-2002-0440

Malware in sbrugna...

EUVD-2023-31050

Malicious code in bioql PyPI...

GHSA-4P5R-3JMM-652Q Liferay DXP Missing Critical Step in Authentication

Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password TOTP to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user...

Liferay DXP Missing Critical Step in Authentication

Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password TOTP to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user...

CVE-2025-43798

Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password TOTP to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user...

CVE-2025-43798

Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password TOTP to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user...

CVE-2025-43798

CVE-2025-43798 affects Liferay DXP 2023.Q4.0, 2023.Q3.1–2023.Q3.4, and 7.4 GA up to update 92 (as well as 7.3 GA up to update 35). The issue is reuse of a time-based one-time password (TOTP) within its validity period, enabling an attacker who has a user’s TOTP to authenticate as that user. The c...

CVE-2025-43798

Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password TOTP to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user...