EUVD-2025-7221

Malicious code in bioql PyPI...

EUVD-2025-23817

Malicious code in bioql PyPI...

CVE-2025-56449

A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA e.g. after the 7-day enforcement window, the REST API still allows the use of Basic Authentication to authenticate and perform administrative actions...

CVE-2025-56449

Obsidian Scheduler REST API 5.0.0–6.3.0 is affected. The root cause is that accounts locked out due to MFA enforcement can still authenticate via Basic Authentication for administrative actions, allowing creation of a new privileged user and bypassing MFA protections. The issue affects the REST A...

SUSE CVE-2025-6013

Vault and Vault Enterprise's "Vault" ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

CVE-2025-27538

Mattermost versions 10.5.x = 10.5.1, 9.11.x = 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with editotherusers permission to activate or deactivate MFA for other users, even if those users have not...

CVE-2025-27538 MFA Enforcement Bypass Allows Unauthorized Removal of MFA for Other Users

Mattermost versions 10.5.x = 10.5.1, 9.11.x = 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with editotherusers permission to activate or deactivate MFA for other users, even if those users have not...

CVE-2025-27538

Summary: CVE-2025-27538 affects Mattermost Server versions 10.5.x (≤ 10.5.1) and 9.11.x (≤ 9.11.9). The issue is that MFA checks are not enforced in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user, enabling users with the edit_other_users permission to activate...

BIT-MATTERMOST-2025-25068

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...

GHSA-72QV-J8VR-XVFV Mattermost Fails to Enforce MFA on Plugin Endpoints

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...

CVE-2025-30179 MFA Enforcement Bypass in Search APIs

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries...

CVE-2025-30179 MFA Enforcement Bypass in Search APIs

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries...

BEC-ware the Phish (part 2): Respond and Remediate Incidents in M365

TL;DR Ensure you can reliably take initial containment actions such as disabling accounts, resetting passwords, and revoking tokens. Token binding ensures that a token only works on the specific device the token was issued and is currently the best protection against token theft. As a minimum...

5 SaaS Misconfigurations Leading to Major Fu*%@ Ups

With so many SaaS applications, a range of configuration options, API capabilities, endless integrations, and app-to-app connections, the SaaS risk possibilities are endless. Critical organizational assets and data are at risk from malicious actors, data breaches, and insider threats, which pose...

CVE-2023-45140 Group-based JIT MFA bypass on scp and sftp in The Bastion

The Bastion provides authentication, authorization, traceability and auditability for SSH accesses. SCP and SFTP plugins don't honor group-based JIT MFA. Establishing a SCP/SFTP connection through The Bastion via a group access where MFA is enforced does not ask for additional factor. This abnorm...