18 matches found
CVE-2020-12687
An issue was discovered in Serpico before 1.3.3. The /admin/attacmentsbackup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users including administrators from the database...
EUVD-2025-203398
An unauthenticated Broken Function Level Authorization BFLA vulnerability in Newgen OmniDocs v11.0 allows attackers to obtain sensitive information and execute a full account takeover via a crafted API request...
CVE-2024-13998 Nagios XI < 2024R1.1.3 API Keys & Hashed Passwords Authenticated Information Disclosure
Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information including API keys and hashed passwords to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse ...
Design/Logic Flaw
CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cau...
CVE-2023-46738 Authenticated users can crash the CubeFS servers with maliciously crafted requests
CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cau...
countly-server 授权问题漏洞
countly-server is the server-side component of Countly, a product analytics solution. An authorization issue vulnerability exists in version 22.x prior to countly-server 22.03.7 and version 21.x prior to 21.11.4, which can be exploited by an attacker to reset passwords and take over accounts...
6 Things You Need to Do to Prevent Getting Hacked
You are your own biggest weakness, but changing just a few of your behaviors can reduce the chances that your online accounts get breached...
Nosy Ex-Partners Armed with Instagram Passwords Pose a Serious Threat
Breakups can be traumatic in all sorts of ways. Now we know they can pose a serious cybersecurity threat too. A new survey found that an alarming number of people are still accessing their exes’ accounts without their knowledge — a handful for malicious reasons. The survey conducted during Novemb...
GoDaddy Hack Breaches Hosting Account Credentials
UPDATE GoDaddy, the world’s largest domain name registrar, is warning customers that attackers may have obtained their web hosting account credentials. An “unauthorized individual” was able to access users’ login details in an intrusion that the company said took place back in October — the compa...
WordPress Code Snippets Cross-Site Request Forgery Vulnerability
WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site request forgery vulnerability exists in the WordPress plugin Code Snippets. An attacker can exploit the...
Logic Flaw Vulnerability in RG-SAM Campus Network Self-Service System
Ruijie RG-SAM authentication and billing management system not only supports the high integration of software and hardware to form a highly available solution, but also adds value-added profit and other functions to provide users with a win-win cooperation solution with a flexible mode of...
Cross site request forgery (csrf)
kkcms v1.3 has a CSRF vulnerablity that can add an user account via admin/cmsuseradd.php...
Twitter temporarily disables 'Tweeting via SMS' after CEO gets hacked
Twitter today finally decided to temporarily disable a feature, called 'Tweeting via SMS,' after it was abused by a hacking group to compromise Twitter CEO Jack Dorsey last week and sent a series of racist and offensive tweets to Dorsey's followers. Dorsey's Twitter account was compromised last...
Hackers Compromise Microsoft Support Agent to Access Outlook Email Accounts
If you have an account with Microsoft Outlook email service, there is a possibility that your account information has been compromised by an unknown hacker or group of hackers, Microsoft confirmed The Hacker News. Earlier this year, hackers managed to breach Microsoft's customer support portal an...
Ad Network Sizmek Probes Account Breach
Online advertising firm Sizmek Inc. NASDAQ: SZMK says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers. In a recent posting to a Russian-language cybercrime forum, an...
One Call Doctor APP has arbitrary account password retrieval vulnerability
The One Call Doctor App is an app for the doctor community that focuses on helping people with quick and easy consultations after a consultation. There is an arbitrary account password retrieval vulnerability in One Call Doctor APP. The vulnerability is due to the server did not do accurate...
WordPress 利用 XMLRPC 爆破
Author: RickGray 知道创宇404安全实验室 Date: 2015-10-09 xmlrpc 是 WordPress 中进行远程调用的接口,而使用 xmlrpc 调用接口进行账号爆破在很早之前就被提出并加以利用。近日 SUCURI 发布文章介绍了如何利用 xmlrpc 调用接口中的 system.multicall 来提高爆破效率,使得成千上万次的帐号密码组合尝试能在一次请求完成,极大的压缩请求次数,在一定程度上能够躲避日志的检测。 原理分析 WordPress 中关于 xmlrpc 服务的定义代码主要位于 wp-includes/class-IXR.php 和...
x_news allows unauthorized users to access administrative menu
Overview xnews allows a user to authenticate without supplying the user's plaintext password. Description xnews is a system for managing news. When a user logs in to xnews version 1.1 using a plaintext password, xnews hashes the password with MD5 and compares it to user's hash stored in the file...