34 matches found
CVE-2026-54088
File Browser (web UI) before version 2.63.6 is affected by a pre-authentication RCE. The Hook Authentication feature interpolates user-supplied credentials into a shell command using os.Expand without sanitization, enabling unauthenticated remote attackers to inject shell metacharacters in the lo...
curl 安全漏洞
curl is an open-source tool developed by cURL for transferring data from or to a server. Curl has a security vulnerability that stems from the incorrect reuse of existing HTTP proxy connections, which may lead to errors in processing new requests with different credentials...
CVE-2020-12127
An information disclosure vulnerability in the /cgi-bin/ExportAllSettings.sh endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to leak router settings, including cleartext login details, DNS settings, and other sensitive information without authentication...
“A dare, a challenge, a bit of fun:” Children are hacking their own schools’ systems, says study
As if ransomware wasn’t enough of a security problem for the sector, educational institutions also need to worry about their own students, a recent study shows. Last week, the UK Information Commissioner’s Office ICO published a report about the "insider threat of students". Here are a few key...
WhatsApp cryptocurrency scam goes for the cash prize
This weekend a scammer tried his luck by reaching out to me on WhatsApp. It’s not that I don’t appreciate it, but trust me, it’s bad for your business. I received one message from a number hailing from the Togolese Republic. WhatsApp message from an unknow sender “Jay, your financial account has...
ChatGPT Plugins Exposed to Critical Vulnerabilities, Risked User Data
By Deeba Ahmed Critical security flaws found in ChatGPT plugins expose users to data breaches. Attackers could steal login details and… This is a post from HackRead.com Read the original post: ChatGPT Plugins Exposed to Critical Vulnerabilities, Risked User Data...
Authentication flaw
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to transmission of authentication credentials in plaintext over the network. A remote attacker could exploit this vulnerability by eavesdropping on the victim’s network traffic to extract username and password from the web...
NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers
An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. "The attacks are reaching victims mainly in Southern Europe...
A Clever Honeypot Tricked Hackers Into Revealing Their Secrets
Security researchers set up a remote machine and recorded every move cybercriminals made—including their login details...
Cross site scripting
Stored Cross site scripting XSS vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page...
Tapo C310 RTSP server v1.3.0 - Unauthorised Video Stream Access Vulnerability
Exploit Title: Tapo C310 RTSP server v1.3.0- Unauthorised Video Stream Access Date: 19th July 2022 Exploit Author: dsclee1 Vendor Homepage: tp-link.com Software Link: http://download.tplinkcloud.com/firmware/TapoC310v1en1.3.0Build220328Rel.64283nu1649923652150.bin Version: 1.3.0 Tested on: Linux ...
Login Details of Tech Giants Leaked in Two Data Center Hacks
By Waqas Threat actors have hacked two data centers in Asia and accessed login credentials of top technology giants, including Apple, Uber, Microsoft, Samsung, Alibaba, etc., and leaked them on a hacker forum. This is a post from HackRead.com Read the original post: Login Details of Tech Giants...
ASB-A-193890833
In cleardatadlgtext of strings.xml, there is a possible situation when "Clear storage" functionality sets up the wrong security/privacy expectations due to a misleading message. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not...
SolarWinds Orion Platform Access Control Error Vulnerability
SolarWinds Orion Platform is a network fault and network performance management platform from Solarwinds, Inc. The platform provides real-time monitoring and analysis of network devices and supports a customizable web interface, multiple user opinions, and a mapped view of the entire network. An...
CVE-2021-25275
SolarWinds Orion Platform before 2020.2.4 stores database credentials for the SQL Server backend in a file readable by unprivileged users. An attacker with filesystem access can read login names and passwords, then gain database owner access to SWNetPerfMon.DB and potentially administer the appli...
Solarwinds Orion Platform 信任管理问题漏洞
SolarWinds Orion Platform is a network fault and network performance management platform from Solarwinds, Inc. The platform provides real-time monitoring and analysis of network devices and supports a customizable web interface, multiple user opinions, and a mapped view of the entire network. An...
h1-ctf: [h1-2006 2020] Write up for H1-2006 CTF
I huffed and puffed my way up a flight of stairs into a dimly lit, dusty room, looking for Sherlock. As I made way through scattered books, I exclaimed, "Sherlock, wake up! It’s that time of the year. h1-ctf, a chance to get an invitation to hackerone’s live hacking event. “zer0ttl, of course! Yo...
Tokopedia hacked – Login details of 91 million users sold on dark web
By Waqas Another day, another data breach - This time hackers have targeted Tokopedia and stole login data of 91 million user accounts. This is a post from HackRead.com Read the original post: Tokopedia hacked - Login details of 91 million users sold on dark web...
Steam-powered scammers
Digital game distribution services have not only simplified the sale of games themselves, but provided developers with additional monetization levers. For example, in-game items, such as skins, equipment, and other character-enhancing elements as well as those that help one show up, can be sold f...
CVE-2019-17356
The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network...