64 matches found
CVE-2025-57437
The Blackmagic Web Presenter HD firmware version 3.3 exposes sensitive information via an unauthenticated Telnet service on port 9977. When connected, the service reveals extensive device configuration data including: - Model, version, and unique identifiers - Network settings including IP, MAC,...
Coinbase Agents Bribed, Data of ~1% Users Leaked; $20M Extortion Attempt Fails
Cryptocurrency exchange Coinbase has disclosed that unknown cyber actors broke into its systems and stole account data for a small subset of its customers. "Criminals targeted our customer support agents overseas," the company said in a statement. "They used cash offers to convince a small group ...
OESA-2025-1468 cobbler security update
Cobbler is a network install server. Cobbler supports PXE, ISO virtualized installs, and re-installing existing Linux machines. The last two modes use a helper tool, 'koan', that integrates with cobbler. Cobbler's advanced features include importing distributions from DVDs and rsync mirrors,...
A week in security (November 25 – December 1)
Last week on Malwarebytes Labs: Printer problems? Beware the bogus help Data broker exposes 600,000 sensitive files including background checks Medical testing company LifeLabs failed to protect customer data, report finds Explained: the Microsoft connected experiences controversy Spotify, Audibl...
Splunk Enterprise 9.1.0 < 9.1.6, 9.2.0 < 9.2.3, 9.3.0 < 9.3.1 (SVD-2024-1008)
The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2024-1008 advisory. - In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, the software potentially exposes sensitive HTTP parameters to th...
WordPress plugin Store Locator Plus 信息泄露漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. An information disclosure...
RHEL 7 : ansible (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - Ansible: Compromised remote hosts can lead to running commands on the Ansible controller CVE-2016-9587 - ...
RHEL 7 : ansible (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - Ansible: Compromised remote hosts can lead to running commands on the Ansible controller CVE-2016-9587 - ...
Unisys Stealth Security Vulnerability
Unisys Stealth is a zero-trust security software from Unisys, Inc. A security vulnerability exists in Unisys Stealth version 5.3.062.0 that originates from allowing an attacker to view sensitive information via the Enterprise ManagementInstallermsi.log file...
CVE-2023-49098 Reaction data for user notifications exposed in Discourse-reactions
Discourse-reactions is a plugin that allows user to add their reactions to the post. Data about a user's reaction notifications could be exposed. This vulnerability was patched in commit 2c26939...
CVE-2023-30565 CQI Data Sniffing
An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker...
SUSE CVE-2022-32210
Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via...
BILTEMA IP CAM 安全漏洞
BILTEMA IP CAM is a client for plug-and-play IP cameras from BILTEMA. A security vulnerability exists in BILTEMA IP CAM version v124, which originates from an insecure direct object reference in the web server. An attacker can exploit this vulnerability to access sensitive information...
Dapr Dashboard 访问控制错误漏洞
Dapr Dashboard is a web-based user interface for Dapr that allows users to view information, view logs of running Dapr applications, components, configurations, etc. Dapr Dashboard 0.1.0 and later, 0.10.0 and earlier versions have an access control error vulnerability that stems from the existenc...
CVE-2022-34775
Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api.tabit.cloud/rsv/management/reservationId?organization=orgId API which return...
CVE-2022-32210
Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via...
Cisco Identity Services Engine Authentication Bypass (cisco-sa-ISE-SAML-nuukMPf9)
A vulnerability in the login page of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to log in without credentials and access all roles without any restrictions. This vulnerability is due to exposed sensitive Security Assertion Markup Language SAML metadata. An...
CVE-2021-3774 Meross MSS550X Missing Encryption of Sensitive Data
Meross Smart Wi-Fi 2 Way Wall Switch MSS550X, on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app...
Design/Logic Flaw
The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php that were unique to a given site but deterministic and predictable given that they were bas...
MobiKwik Suffers Major Breach — KYC Data of 3.5 Million Users Exposed
Popular Indian mobile payments service MobiKwik on Monday came under fire after 8.2 terabytes TB of data belonging to millions of its users began circulating on the dark web in the aftermath of a major data breach that came to light earlier this month. The leaked data includes sensitive personal...