Malicious code in 901free-xbox-ea-access-codes (npm)

The package 901free-xbox-ea-access-codes was found to contain malicious code...

MAL-2025-28947 Malicious code in paypal-codes-generator371 (npm)

The package paypal-codes-generator371 was found to contain malicious code...

MAL-2025-20943 Malicious code in free-xbox-codes-app001 (npm)

The package free-xbox-codes-app001 was found to contain malicious code...

Malicious code in es6-http-status-codes (npm)

The package es6-http-status-codes was found to contain malicious code...

MAL-2025-28949 Malicious code in paypal-codes-generator658 (npm)

The package paypal-codes-generator658 was found to contain malicious code...

WordPress Add Custom Codes <= 4.80 - Arbitrary Code Execution Vulnerability

Arbitrary Code Execution Vulnerability discovered by Ryan Novotny in WordPress Plugin Add Custom Codes versions = 4.80...

Security update for tiff

This update for tiff fixes the following issues: CVE-2025-8176: Fixed heap use-after-free in tools/tiffmedian.c bsc1247108 CVE-2025-8177: Fixed possible buffer overflow in tools/thumbnail.c:setrow when processing malformed TIFF files bsc1247106 Patch Instructions: To install this SUSE update use...

SUSE CVE-2025-55000

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected...

A week in security (August 4 &#8211; August 10)

Last week on Malwarebytes Labs: Adult sites trick users into Liking Facebook posts using a clickjack Trojan Facebook users targeted in ‘login’ phish TeaOnHer, the male version of Tea, is leaking personal information on its users too How Google, Adidas, and more were breached in a Salesforce scam...

Improper Neutralization

Overview Affected versions of this package are vulnerable to Improper Neutralization via the TOTP secrets engine, which accepts valid codes multiple times rather than strictly-once. An attacker can gain unauthorized access to sensitive information due to improper normalization in the underlying...

CVE-2025-55003

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication MFA system allows enforcing MFA using Time-based One Time Password TOTP. Due to...

CVE-2025-55003

OpenBao CVE-2025-55003 affects OpenBao MFA (TOTP) in versions ≤ 2.3.1, where normalization in the TOTP library allowed whitespace-containing codes to bypass rate limiting and reuse existing MFA codes. The issue is fixed in version 2.3.2. Per the CVE, the exploitation vector is network with low co...

CVE-2025-55000 OpenBao TOTP Secrets Engine Enables Code Reuse

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected...

CVE-2025-55000 OpenBao TOTP Secrets Engine Enables Code Reuse

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected...

Unexpected snail mail packages are being sent with scammy QR codes, warns FBI

Receiving an unexpected package in the post is not always a pleasant surprise. The FBI has warned the public about unsolicited packages containing a QR code which leads to a website aimed at stealing personal data or downloading malware to the victim's device. The packages are often shipped witho...

CVE-2025-2297

Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions. This allows users with the ability to edit their user profile files to elevate their privileges to...

CVE-2025-2297

Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions. This allows users with the ability to edit their user profile files to elevate their privileges to...

CVE-2025-2297

BeyondTrust Privilege Management for Windows before version 25.4.270.0 is affected by CVE-2025-2297, where a locally authenticated user can modify their own profile files to inject illegitimate challenge response codes into the local registry, enabling elevation to Administrator. Remediation from...

On Anti-Collusion Codes for Averaging Attack in Multimedia Fingerprinting

Multimedia fingerprinting is a technique to protect the copyrighted contents against being illegally redistributed under various collusion attack models. Averaging attack is the most fair choice for each colluder to avoid detection, and also makes the pirate copy have better perceptional quality...

CVE-2025-6523

Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe. This issue affects the following versions : Devolutions...