23 matches found
BIT-PARSE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the...
CVE-2026-33409
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowin...
CVE-2025-65431
CVE-2025-65431 affects allauth-django prior to 65.13.0. Okta and NetIQ implementations used the mutable identifier preferred_username for third‑party provider accounts; this value should not drive authorization decisions. The vulnerability arises because the identifier used for linking/authorizat...
Mango discloses data breach at third-party provider
Mango has reported a data breach at one of its external marketing service providers. The Spanish fashion retailer says that only personal contact information has been exposed—no financial data. The breach took place at the service provider and did not affect Mango’s own systems. According to the...
EUVD-2021-10342
Malware in sbrugna...
Harrods Data Breach: 430,000 Customer Records Stolen Via Third-Party Attack
Luxury retailer Harrods confirms 430,000 customer records names, contacts were stolen from a third-party provider in the latest UK retail cyberattack wave...
Vulnerability in SICK OLM
SICK received a report about a vulnerability in the SICK Support Portal supportportal.sick.com, which was hosted and operated by a third-party service provider. Due to a misconfiguration, the access restriction of a NFS Network File System storage system has failed, which resulted in temporary...
AT&T Confirms Data Breach Affecting Nearly All Wireless Customers
American telecom service provider AT&T has confirmed that threat actors managed to access data belonging to "nearly all" of its wireless customers as well as customers of mobile virtual network operators MVNOs using AT&T's wireless network. "Threat actors unlawfully accessed an AT&T workspace on ...
Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking
A critical security vulnerability has been disclosed in the Open Authorization OAuth implementation of the application development framework Expo.io. The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs...
GHSA-M7GV-V8XX-V47W XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider
Impact Even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider by providing its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the...
XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider
Impact Even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider by providing its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the...
XWiki OIDC 授权问题漏洞
XWiki Platform is a suite of Wiki platforms for creating Web collaboration applications from the French company XWiki. A security vulnerability exists in XWiki OIDC versions prior to 1.29.1, which stems from the ability to bypass authentication altogether by providing its details to a third-party...
Security Bulletin: IBM Robotic Process Automation is vulnerable to an issue where an API could be used to perform a DNS lookup via a third party provider.
Summary IBM Robotic Process Automation is vulnerable to an issue where an API could be used to perform a DNS lookup via a third party provider. Vulnerability Details CVEID: CVE-2022-22433 DESCRIPTION: IBM Robotic Process Automation is vulnerable to External Service Interaction attack, caused by...
Broward Breach Highlights Healthcare Supply-Chain Problems
This week’s announcement by Florida’s Broward Health System that the most intimate medical data of 1,357,879 of its patients was breached in the fall should serve as a warning that the healthcare software supply chain will be a juicy target for cybercriminals as we head into 2022, researchers war...
CVE-2021-23243
In Oppo's battery application, the third-party SDK provides the function of loading a third-party Provider, which can be used...
CVE-2021-23243
In Oppo's battery application, the third-party SDK provides the function of loading a third-party Provider, which can be used...
Ubiquiti: Change Your Password, Enable 2FA
Ubiquiti, a major vendor of cloud-enabled Internet of Things IoT devices such as routers, network video recorders, security cameras and access control systems, is urging customers to change their passwords and enable multi-factor authentication. The company says an incident at a third-party cloud...
Synology SRM dnsExit DDNS provider information disclosure vulnerability
Summary An information disclosure vulnerability exists in the dnsExit DDNS provider functionality of Synology SRM 1.2.3 RT2600ac 8017-5. A specially crafted man-in-the-middle attack can steal the dnsExit credentials to take over the registered subdomain. An attacker can impersonate the remote...
DoorDash Breach Exposes 4.9 Million Users' Personal Data
Do you use DoorDash frequently to order your food online? If yes, you are highly recommended to change your account password right now. DoorDash—the popular on-demand food-delivery service—today confirmed a massive data breach that affects almost 5 million people using its platform, including its...
New Relic: Drupal admin takeover via install.php not being performed prior to install.
@grampae discovered an uninitialized Drupal instance running on one of our properties being hosted by a third party provider, an issue we've seen previously. To prevent this issue from surfacing again, we decommissioned the related domains and contacted the provider with details of the issue...