CVE-2025-15626 Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application

Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application...

EUVD-2020-30990

Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. Attackers can exploit the vulnerability by manipulating path parameters in GET and POST requests to list or download...

CVE-2020-37086 Easy Transfer 1.7 for iOS - Directory Traversal

Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. Attackers can exploit the vulnerability by manipulating path parameters in GET and POST requests to list or download...

CVE-2020-12131

The AirDisk Pro app 5.5.3 for iOS allows XSS via the devicename parameter shown next to the UI logo...

EUVD-2025-206056

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in nebelhorn Blappsta Mobile App Plugin & Your native, mobile iPhone App and Android App allows Reflected XSS.This issue affects Blappsta Mobile App Plugin Your native, mobile iPhone App and Android...

CVE-2025-14023

LINE client for iOS prior to 15.19 allows UI spoofing due to inconsistencies between the navigation state and the in-app browser's user interface, which could create confusion about the trust context of displayed pages or interactive elements under specific conditions...

CVE-2025-14022

LINE client for iOS prior to 15.4 allows man-in-the-middle attacks due to improper SSL/TLS certificate validation in an integrated financial SDK. The SDK interfered with the application's network processing, causing server certificate verification to be disabled for a significant portion of netwo...

PT-2025-51205

The in-app browser in LINE client for iOS versions prior to 14.14 is vulnerable to address bar spoofing, which could allow attackers to execute malicious JavaScript within iframes while displaying trusted URLs, enabling phishing attacks through overlaid malicious content...

EUVD-2025-201279

AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control...

CVE-2025-60022

Improper certificate validation vulnerability exists in 'デジラアプリ' App for iOS prior to ver.80.10.00. If this vulnerability is exploited, a man-in-the-middle attack may allow an attacker to eavesdrop on and/or tamper with an encrypted communication...

EUVD-2017-14988

Malware in sbrugna...

Splashin iOS 安全漏洞

Splashin iOS is an iOS application by Splashin, Inc. A security vulnerability exists in Splashin iOS version v2.0, which stems from not enforcing server-side interval limits and could lead to location data disclosure...

CVE-2025-20615

The Qardio Arm iOS application exposes sensitive data such as usernames and passwords in a plist file. This allows an attacker to log in to production-level development accounts and access an engineering backdoor in the application. The engineering backdoor allows the attacker to send hex-based...

LINE client for iOS vulnerable to universal cross-site scripting

Overview The in-app browser of LINE client for iOS provided by LY Corporation contains a universal cross-site scripting vulnerability CWE-79, CVE-2024-5739. LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact If a user clicks a malicious...

"Hulu" App for iOS vulnerable to improper server certificate verification

Overview "Hulu" App for iOS provided by HJ Holdings, Inc. is vulnerable to improper server certificate verification CWE-295. Shungo Kumasaka of GMO Cyber Security by IERAE reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

The Malwarebytes 2021 State of Malware report: Lock and Code S02E04

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we tune in to a special presentation from Adam Kujawa about the 2021 State of Malware report, which analyzed the top cybercrime goals of 2020 amidst the global pandemic. If you just pay...

PT-2020-14105 · Threattrack · Vipre Password Vault

Name of the Vulnerable Software and Affected Versions: ThreatTrack VIPRE Password Vault app versions through 1.100.1090 for iOS Description: The issue is related to missing SSL certificate validation. Recommendations: For ThreatTrack VIPRE Password Vault app versions through 1.100.1090, update to...

MetaTrader 4 vs MetaTrader 5 iPhone app

By Owais Sultan If you are an online trading enthusiast, you can use MetaTrader 5 and MetaTrader 4 iPhone apps to trade forex. Though the prime objective of MetaTrader 4 iPhone app and MetaTrader 5 iPhone app is to enable users to have great trading experience, these forex trading apps vary in...

A week in security (March 18 – 24)

Last week on Malwarebytes Labs, we touched on the susceptibility of hospitals against phishing attacks, password reuse, the risk of interactive TV shows to side-channel attacks, and Facebook's new and out-of-character plan to promote privacy in the platform. Other cybersecurity news A study...

"an" App for iOS vulnerable to directory traversal

Overview "an" App for iOS provided by PERSOL CAREER CO., LTD. uses the old version of cordova-plugin-ionic-webview, and inherits a directory traversal vulnerability CWE-22, CVE-2018-16202. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this Vuerability to IPA. JPCERT/CC...