GHSA-4H9Q-P5J4-XVVH Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export

Summary Ech0 scoped access tokens do not reliably enforce least privilege: multiple privileged admin routes omit scope checks, and the backup export handler strips token scope metadata entirely, allowing a low-scope admin access token to reach broader admin functionality than intended. Impact An...

CVE-2025-15464

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls...

PT-2026-1770

Name of the Vulnerable Software and Affected Versions Gmail affected versions not specified Description An exported activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. This allows unauthorized access to Gmail...

GHSA-2W46-VQ8H-98VH Shopware 6's password recovery link does not expire after email change

Summary When a customer changes their email address after requesting a password reset, the old password reset link tied to the previous email remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email...

EUVD-2024-3544

Malicious code in bioql PyPI...

PT-2024-34165 · Frappe · Press

Name of the Vulnerable Software and Affected Versions: Press versions prior to the version containing commit ba0007c28ac814260f836849bc07d29beea7deb6 Description: The issue concerns a password reset vulnerability in Press, a custom app for Frappe Cloud that manages various services including...

CVE-2021-40354

A vulnerability has been identified in Teamcenter V12.4 All versions V12.4.0.8, Teamcenter V13.0 All versions V13.0.0.7, Teamcenter V13.1 All versions V13.1.0.5, Teamcenter V13.2 All versions 13.2.0.2. The "surrogate" functionality on the user profile of the application does not perform sufficien...

Microsoft Exchange – Password Spraying

Outlook Web Access OWA portals typically are externally facing in order to allow users to get access to their emails from the Internet. This gives the opportunity to threat actors to use a common password against a valid list of usernames Password Spraying in order to get some initial access to t...

msnXSSCB.txt

Summary ------- A cookie-stealing Cross-site scripting vulnerability was found on MSN's website msn.com. Using this vulnerability, an attacker could potentially gain access to a victim's Inbox. This vulnerability was discovered by: tontonq and Nir Goldshlager. Disclosure timeline...

Security Issue in Icewarp

Icewarp is one the world's most used web mail software. It's another product of Merak Mail developers. There is an seccurity issue in Icewarp. It's like this: When you create a new user , icewarp gives him a static number. If this user does not logout after checking his inbox you can access his...