Many data brokers are failing to register with state consumer protection agencies

Hundreds of data brokers haven't registered with state consumer protection agencies, according to The Electronic Frontier Foundation EFF and Privacy Rights Clearinghouse PRC. There are different kinds of data brokers, but what they all have in common is that they gather personally identifiable...

Yealink RPS Information Disclosure / Man-In-The-Middle

Yealink RPS contains several vulnerabilities that can lead to leaking of PII and/or man-in-the-middle attacks. Some vulnerabilities remain unpatched even after disclosure to the manufacturer...

A Common Pool of Privacy Problems: Legal and Technical Lessons from a Large-Scale Web-Scraped Machine Learning Dataset

We investigate the contents of web-scraped data for training AI systems, at sizes where human dataset curators and compilers no longer manually annotate every sample. Building off of prior privacy concerns in machine learning models, we ask: What are the legal privacy implications of web-scraped...

The vulnerability of the Dynamics 365 FastTrack Implementation software for resource planning in Microsoft Dynamics 365 allows a hacker to disclose sensitive information.

The vulnerability of the Dynamics 365 FastTrack Implementation software for resource planning in Microsoft Dynamics 365 is related to deficiencies in access control for personal information. Exploiting this vulnerability could allow an attacker, operating remotely, to disclose protected informati...

Omise: PII Exposure via Email Confirmation Link – Email Embedded in Token & Leaked via Wayback Machine

The vulnerability involved the exposure of personally identifiable information PII, specifically email addresses, through an email confirmation link used by Omise. The email address was embedded directly in a token that was visible in the URL. This token was subsequently archived by the Wayback...

Microsoft Dynamics 365 FastTrack Implementation 安全漏洞

Microsoft Dynamics 365 FastTrack Implementation is a planning software from Microsoft Corporation USA that helps in the successful implementation of large and complex Dynamics 365 projects. A security vulnerability exists in Microsoft Dynamics 365 FastTrack Implementation that stems from the...

Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone number

The examples in this post are actual fraud attempts found by Malwarebytes Senior Director of Research, Jérôme Segura. Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us. It often starts, as with so many attacks, with a...

Minnesota Shooting Suspect Allegedly Used Data Broker Sites to Find Targets’ Addresses

The shooter allegedly researched several “people search” sites in an attempt to target his victims, highlighting the potential dangers of widely available personal data...

Everyone's on the cyber target list

Welcome to this week's edition of the Threat Source newsletter. I've discovered that being a rent guarantor for someone is an involved experience. While I'm glad that I can help out a loved one secure a better rental property, the process of verifying my identity and ability to cover any missed...

CVE-2024-21666

The Customer Management Framework CMF for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when...

CVE-2024-23674

The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for access to government, medical, and financial resources, and can also extract personal data from...

CVE-2024-26138

The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document Licenses.Code.LicenseJSON that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information...

CVE-2023-30200

In the module “Image: WebP, Compress, Zoom, Lazy load, Alt & More” ultimateimagetool in versions up to 2.1.02 from Advanced Plugins for PrestaShop, a guest can download personal informations without restriction by performing a path traversal attack...

CVE-2023-23568

Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Personal Data Fields. This issue affects Command Centre: vEL 8.90 prior to vEL8.90.1318 MR1, vEL8.80 prior to vEL8.80.1192 MR2, vEL8.70 prior to vEL8.70.2185 MR4, vEL8.60 prior to...

CVE-2023-46355

In the module "CSV Feeds PRO" csvfeeds 2.6.1 from Bl Modules for PrestaShop, a guest can download personal information without restriction. Due to too permissive access control which does not force administrator to use password on feeds, a guest can access exports from the module which can lead t...

CVE-2023-0023

In SAP Bank Account Management Manage Banks application, when a user clicks a smart link to navigate to another app, personal data is shown directly in the URL. They might get captured in log files, bookmarks, and so on disclosing sensitive data of the application...

CVE-2023-30197

Incorrect Access Control in the module "My inventory" myinventory = 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack...

CVE-2023-6214

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.6 via the purchasedproducts function. This makes it possible for unauthenticatied attackers to extract sensitive data including the previous 7...

CVE-2022-41933

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When the reset a forgotten password feature of XWiki was used, the password was then stored in plain text in database. This only concerns XWiki 13.1RC1 and newer versions. Note that it only...

CVE-2022-24689

An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages including personal data without being authenticated. The collected information includes the badge numbers that operate as user login...