CVE-2025-27388

Loading arbitrary external URLs through WebView components introduces malicious JS code that can steal arbitrary user tokens...

CVE-2025-0498

CVE-2025-0498 affects Rockwell Automation FactoryTalk AssetCentre, versions prior to V15.00.001. The root cause is insecure storage of FactoryTalk Security user tokens, enabling a threat actor to steal a token and impersonate another user. Documents indicate a data exposure vulnerability with pot...

CVE-2025-0498 Rockwell Automation FactoryTalk® AssetCentre Data Exposure Vulnerability

A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate another user...

YAPI SQL Injection Vulnerability

YAPI is an api management platform. YAPI is vulnerable to SQL injection, which can be exploited by attackers to obtain user token and cause command execution...

Design/Logic Flaw

The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to datastateiTopVPNPipeServer on a loop. An attacker that opened a named pipe with the same name can use it to gain the token of another user by listening for connections and abusing ImpersonateNamedPipeClient...

first user can steal everyone else's tokens

Handle egjlmn1 Vulnerability details Impact A user who joins the systems first stakes first can steal everybody's tokens by sending tokens to the system externally. This attack is possible because you enable staking a small amount of tokens. Proof of Concept See the following attack: 1. the first...