Design/Logic Flaw

Open Forms allows users create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers who have their credentials username + password compromised could potentially have the second-factor authentication...

Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch

Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems. Israel-based runtime application security company Oligo, which made the discovery, ha...

Law enforcement app SweepWizard leaks data on crime suspects

SweepWizard, an obscure app apparently created by ODIN Intelligence and used by more than 60 law enforcement departments, has a flaw: According to an ethical hacker, a misconfiguration in the app's API application programming interface caused it to unintentionally leak to the open internet a trov...

UPchieve: Zero click account Takeover due to Api misconfiguration 🏂🎩

Hacker reported that full account takeover was possible through exploitation of one our forms. Hacker provided sufficient information to prove capability and how to remediate. Our team remediated the issue so that the takeover is no longer possible. i was able to take over any account without any...

BCM Messenger: API - Amazon S3 bucket misconfiguration

Dear, BCM Messenger Description My discovering was starting from com.bcm.messenger, First, i trace what application send and receive from the network so i use Frida tool to bypass SSL pinning, Then i was able to trace application http traffic, and since API data is not encrypted and there's nothi...