CVE-2026-40485

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint /api/public/user/login returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An...

CVE-2026-40485

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint /api/public/user/login returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An...

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the public API login endpoint returning distinguishable HTTP response codes, which could lead to username enumeration attacks...

CVE-2026-24097

Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 EOL allows authenticated users to enumerate existing hosts by observing different HTTP response codes in agent-receiver/registerexisting endpoint, which could lead to information disclosure...

EUVD-2025-22929

Malicious code in bioql PyPI...

A week in security (August 4 – August 10)

Last week on Malwarebytes Labs: Adult sites trick users into Liking Facebook posts using a clickjack Trojan Facebook users targeted in ‘login’ phish TeaOnHer, the male version of Tea, is leaking personal information on its users too How Google, Adidas, and more were breached in a Salesforce scam...

CVE-2025-2297

Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions. This allows users with the ability to edit their user profile files to elevate their privileges to...

CVE-2025-2297

BeyondTrust Privilege Management for Windows before version 25.4.270.0 is affected by CVE-2025-2297, where a locally authenticated user can modify their own profile files to inject illegitimate challenge response codes into the local registry, enabling elevation to Administrator. Remediation from...

CVE-2025-24391

A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: OTRS 7.0.X OTRS 8.0.X OTRS 2023....

CVE-2025-24391

A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: OTRS 7.0.X OTRS 8.0.X OTRS 2023....

CVE-2025-24391 Possible user enumeration

A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: OTRS 7.0.X OTRS 8.0.X OTRS 2023....

CVE-2025-24391

OTRS exposes an user-enumeration flaw via its External Interface affecting OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, and 2025.X. Attackers can infer valid email addresses from differing HTTP response codes/messages, per multiple sources (e.g., Red Hat, SUSE, PT-2025-29438). CVSS 3.1 impact: LOW confiden...

CVE-2025-24391 Possible user enumeration

A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: OTRS 7.0.X OTRS 8.0.X OTRS 2023....

CVE-2020-11576

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid non-SSO accounts because /api/v1/session returned 401 for an existing username and 404 otherwise...

Astra Linux - уязвимость в firefox, thunderbird

Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first This vulnerability affects Firefox for iOS 136...

UBUNTU-CVE-2025-27425

Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first This vulnerability affects Firefox for iOS 136...

CVE-2024-57778

An issue in Orbe ONetView Roeador Onet-1200 Orbe 1680210096 allows a remote attacker to escalate privileges via the servers response from status code 500 to status code 200...

Account Enumeration

umbraco.cms is vulnerable to Account Enumeration. The vulnerability is due to discrepancies in response codes and the timing of Umbraco management API responses, which allow attackers to infer the existence of specific accounts...

GHSA-HMG4-WWM5-P999 Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes

Impact Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists. Patches Patched in 14.3.2 and 15.1.2. Workarounds None available...

Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes

Impact Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists. Patches Patched in 14.3.2 and 15.1.2. Workarounds None available...