ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

Summary Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. Impact This vulnerability allows an unauthenticated attack...

actual 访问控制错误漏洞

Actual is a personal finance tool developed by Actual OpenSource. Versions of Actual prior to 26.2.1 contained an access control vulnerability. This vulnerability stemmed from the lack of an authentication middleware in the ActualBudget server component, which could allow unverified users to acce...

Sensitive Information Exposure

@actual-app/sync-server is vulnerable to sensitive Information Exposure. The vulnerability is due to logging parsed API responses to STDOUT using console.log/console.debug, which allows an attacker with access to application logs to obtain sensitive data such as bearer tokens, bank account detail...

Renault UK Customer Records Stolen in Third-Party Breach

Renault UK warns customers of a third-party data breach exposing personal details, stressing vigilance against fraud and confirming no bank data lost...

A week in security (June 10 – June 16)

Last week on Malwarebytes Labs: Truist bank confirms data breach Update now! Google Pixel vulnerability is under active exploitation Adobe clarifies Terms of Service change, says it doesn’t train AI on customer content 23andMe data breach under joint investigation in two countries When things go...

openSUSE SQL注入漏洞

openSUSE is a suite of Linux-based free operating systems and open source community projects from German company SUSE. openSUSE suffers from a SQL injection vulnerability that originates in its Travel support program that allows an attacker to extract sensitive user data bank account details,...

PT-2023-14814 · Rails +3 · Rails +3

Name of the Vulnerable Software and Affected Versions: travel-support-program versions prior to the patched version Description: The travel-support-program, a rails app supporting the openSUSE travel support program, is affected by a Ransack query injection issue. This allows sensitive user data,...

NCR Barred Mint, QuickBooks from Banking Platform During Account Takeover Storm

Banking industry giant NCR Corp. NYSE: NCR late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions. That ban, which came in...

IT Firm Manager Arrested in the Biggest Data Breach Case of Ecuador's History

Ecuador officials have arrested the general manager of IT consulting firm Novaestrat after the personal details of almost the entire population of the Republic of Ecuador left exposed online in what seems to be the most significant data breach in the country's history. Personal records of more th...

Biggest American Bank 'JPMorgan Chase' hacked; 465,000 card users' data stolen

JPMorgan Chase, one of the world's biggest Banks has recently announced that it was the victim of a cyber attack and warned round 465,000 of its holders of prepaid cash cards on the possible exposure of their personal information. In the Security Breach that took place on the bank's website...

SpyEye 1.3.45 Download - Loader source code

SpyEye 1.3.45 Download - Loader source code A new fresh and sophisticated web-based bot named SpyEye is around in the markets and looks like to be the possible successor of the famous Zeus Trojan due to its very interesting features, with the main objective to steal bank accounts, credit cards, f...