EUVD-2025-201281

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

Ping Identity One-Time Passcode Integration Kit for PingFederate 安全漏洞

Ping Identity One-Time Passcode Integration Kit for PingFederate is a suite of software tools and adapters from Ping Identity USA. A security vulnerability exists in Ping Identity One-Time Passcode Integration Kit for PingFederate that stems from not properly validating the HTTP method and state,...

PT-2025-49136

The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...

Attackers have a new way to slip past MFA in educational orgs

Researchers are warning about a rise in cases of attackers using Evilginx to steal session cookies among educational institutions—letting them bypass the need for a multi-factor authentication MFA token. Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real...

FBI Reports $262M in ATO Fraud as Researchers Cite Growing AI Phishing and Holiday Scams

The U.S. Federal Bureau of Investigation FBI has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover ATO fraud schemes. The activity targets individuals, businesses, and organizations of varied size...

Linux Distros Unpatched Vulnerability : CVE-2025-62398

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising...

GO-2025-4130 Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server

Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server...

BIT-MOODLE-2025-62398 Moodle: possible to bypass mfa

A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts...

GO-2025-4128 Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server

Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server...

7 Steps for Securing Generative AI in Enterprises

Think of your AI strategy like building a skyscraper. You wouldn't construct twenty floors and then try to figure out where the foundation should go. Security must be part of the blueprint from the very beginning. Bolting on security measures after an AI model is already in use is a recipe for...

CVE-2025-55070

Mattermost versions 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events...

Memos' Access Tokens Stay Valid after User Password Change

Summary Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. The bad actor though will still have...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the checkAutoLinking function, when auto-linking was enabled for an IdP, there was no verification to ensure that linking to the identified user was permitted.. An attacker can gain unauthorized access to an...

EUVD-2025-197607

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

GHSA-MQP8-PGG5-7X7M Mattermost allows system administrators to access password hashes and MFA secrets

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the POST /api/v4/users/userid/email/verify/member endpoint. An attacker can obtain sensitive information, such as password hashes and MFA secrets, by sending crafted requests to this endpoint. Remediation Upgrad...

CVE-2025-11794

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

CVE-2025-11794

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

CVE-2025-11794 Password hash and MFA secret returned in user email verification endpoint

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...

Mattermost does not enforce MFA on WebSocket connections

Mattermost versions 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events...