GHSA-6H4J-WCR9-2VG7 n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints

Impact The OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential...

CVE-2025-13776 Hard-coded database credentials in Finka software

Multiple Finka programs use hard-coded Firebird database credentials shared across all instances of this software. A malicious attacker in local network who knows default credentials is able to read and edit database content. This vulnerability has been fixed in version: Finka-FK 18.5, Finka-KPR...

CVE-2025-61940 Mirion Medical EC2 Software NMIS BioDose Use of Client-Side Authentication

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database. User access in the client application is restricted by a password authentication check in the client software but the underlying database connection always has access. The latest...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to insufficient peer verification logic in the verifyPeerCert function. An attacker can impersonate privileged API components and execute unauthorized operations by compromising a single instance and...

PT-2025-45512

Name of the Vulnerable Software and Affected Versions KubeVirt versions prior to 1.5.3 KubeVirt versions prior to 1.6.1 Description KubeVirt is a virtual machine management add-on for Kubernetes. A flaw exists in the peer verification logic within virt-handler via the verifyPeerCert function. An...

EUVD-2019-3516

Malware in sbrugna...

CVE-2025-35042

CVE-2025-35042 affects Airship AI Acropolis. A default administrative account with identical credentials across installations allows remote login and privilege escalation if the password is not changed. Affected versions prior to fixes are vulnerable; remediation is to upgrade to 10.2.35, 11.0.21...

CVE-2025-35452

PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface...

PT-2025-36321

Name of the Vulnerable Software and Affected Versions: PTZOptics and ValueHD-based pan-tilt-zoom cameras affected versions not specified Description: PTZOptics and ValueHD-based pan-tilt-zoom cameras utilize default, shared credentials for the administrative web interface. This allows unauthorize...

CVE-2025-20286

A vulnerability in Amazon Web Services AWS, Microsoft Azure, and Oracle Cloud Infrastructure OCI cloud deployments of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configuration...

CVE-2025-20286

CVE-2025-20286 concerns Cisco Identity Services Engine (ISE) deployed on cloud platforms (AWS, Azure, OCI). The root cause is improper credential generation that causes different ISE deployments using the same credentials when the software release and cloud platform are identical. An unauthentica...

Sharing Is (Not) Caring: How Shared Credentials Open the Door to Breaches

...

CVE-2024-13893

Summary of CVE-2024-13892 / CVE-2024-13893 / CVE-2024-13894 (Smartwares CIP-37210AT, C724IP and similar firmware up to 3.3.0): CVE-2024-13892 (NVD/Red Hat): Command injection vulnerability during initialization when a mobile app provides AP credentials. Input is not properly sanitized. Patch stat...

CVE-2024-13893 Shared credentials in Smartwares cameras

Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, might share same credentials for telnet service. Hash of the password can be retrieved through physical access to SPI connected memory. For the telnet service to be enabled, the...

CVE-2022-28802

Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's...

Security Bulletin: IBM Cloud Pak for Data could allow a local user with special privileges to obtain highly sensitive information

Summary Cloud Pak for Data "shared credentials" are available to authorized users. However, because the credentials are shared, it is difficult to audit access to the connection, to identify the source of data loss, or identify the source of a security breach. You can apply a patch to disable thi...

CVE-2019-11856

A nonce reuse vulnerability exists in the ACEView service of ALEOS before 4.13.0, 4.9.5, and 4.4.9 allowing message replay. Captured traffic to the ACEView service can be replayed to other gateways sharing the same credentials...

Five Weakest Links in Cybersecurity That Target the Supply Chain

Matan Or-El, co-founder and CEO at Panorays Third-party breaches have become an epidemic as cybercriminals target the weakest link. Organizations such as BestBuy, Sears, Delta and even NYU Medical Center are just a few that have felt the impact of cyberattacks through third-party vendors. The...

Verizon Data Breach Report Reveals Depth of Breach Problem

Last night, the fine folks at Verizon posted the 2009 version of the DBIR. I haven’t had time to do a full deep dive yet, but I thought I’d share my initial notes in the meantime. Stuff in italics is from the DBIR, regular text is me: 81 percent of organizations subject to PCI DSS had not been...