All articles tagged with #security flaw
A critical security vulnerability in MongoDB (CVE-2025-14847) allows unauthenticated attackers to read uninitialized heap memory, potentially exposing sensitive data. The flaw affects multiple versions and has been patched in newer releases; users are advised to upgrade or disable zlib compression to mitigate risks.
A critical security vulnerability in the '@react-native-community/cli' npm package, affecting millions of developers, allowed remote attackers to execute arbitrary OS commands via the Metro development server. The flaw, tracked as CVE-2025-11953 with a CVSS score of 9.8, has been patched in version 20.0.0, highlighting the importance of security scanning in the software supply chain.
A mother highlights how Apple's Family Sharing feature can be exploited by abusive partners, especially since only one parent can be designated as the organizer, which can lead to control issues in custody disputes, with Apple unable to intervene due to the system's design.
The social event app Partiful was found to be storing user-uploaded photos with embedded GPS location data, posing privacy risks. After TechCrunch revealed the security flaw, Partiful fixed the issue by removing metadata from existing photos and announced ongoing security reviews. The incident highlights the importance of proper data handling and security practices in social apps.
The Neon app, which paid users for call recordings used to train AI, has been disabled due to a security flaw that exposed call data, raising privacy and legal concerns, especially regarding consent laws across different states.
Neon, an app that paid users to record calls for AI training, was quickly popular but was taken down after a security flaw exposed sensitive user data, prompting an ongoing security audit and server patching.
Most OnePlus phones running OxygenOS 12 and later are vulnerable to a security flaw that exposes SMS and MMS data, with a fix expected in mid-October; older versions like OxygenOS 11 are unaffected, and users are advised to take precautions until the patch is released.
The Neon app, a popular call-recording platform that paid users for their data, has been taken offline after a security flaw exposed users' phone numbers, call recordings, and transcripts, raising privacy concerns. The app's servers failed to prevent unauthorized access to user data, prompting the developer to shut down the service temporarily. The incident highlights ongoing issues with app security and oversight in app marketplaces.
A critical security flaw in Microsoft Entra ID, involving undocumented 'actor tokens' and a vulnerability in the Azure AD Graph API, could have allowed attackers to hijack any company's tenant and gain full administrative access without detection. The issue was discovered by security researcher Dirk-jan Mollema and has since been patched by Microsoft.
Samsung has patched a zero-day security vulnerability in its devices that was exploited to remotely plant malicious code, affecting phones running Android 13 to 16. The flaw was reported by Meta and WhatsApp, and the attack is part of a broader trend of spyware campaigns targeting mobile users. The company did not specify affected models, and the origin of the hacking remains unclear.
Several top password managers, including 1Password, Bitwarden, and LastPass, have been found vulnerable to a clickjacking flaw that allows hackers to steal login credentials, 2FA codes, and credit card information by overlaying invisible HTML elements, with all tested managers susceptible to at least one attack method. Users are advised to update their software and disable autofill until patches are released.
A critical security vulnerability in Windows WinRAR (CVE-2025-8088) allows attackers to craft malicious archive files that can place malware in system folders, including startup directories, leading to automatic execution of malicious code at startup. The flaw has been exploited in phishing campaigns by the RomCom cyber-espionage group. Users are urged to update to WinRAR version 7.13 Final manually to patch the vulnerability and enhance security.
Microsoft disclosed a high-severity vulnerability in on-premise Exchange Server (CVE-2025-53786) that could allow attackers with admin access to escalate privileges in connected cloud environments, especially in hybrid setups. The flaw, which shares a service principal with Exchange Online, poses risks of undetectable privilege escalation and identity compromise if unpatched. Microsoft recommends applying the latest hotfix, reviewing security configurations, and resetting service principal keys if no longer used. CISA also warns about related malware exploiting recent SharePoint flaws and advises disconnecting outdated or end-of-life Exchange and SharePoint servers from the internet.
Researchers discovered a critical security flaw in Microsoft's new NLWeb protocol, which allows remote reading of sensitive files, including API keys, due to a path traversal vulnerability. Microsoft patched the issue but has not issued a CVE, raising concerns about security oversight in AI-related protocols. The flaw could have severe consequences for AI agents relying on exposed API keys, emphasizing the need for careful security practices in deploying new AI features.
A security vulnerability in Cursor IDE's Model Context Protocol (MCP) allows attackers to silently modify trusted configurations to execute arbitrary commands, leading to persistent remote code execution. The flaw stems from the IDE's trust model, which only prompts for approval once, enabling malicious modifications to go unnoticed and be re-executed every time a project is opened or synchronized. The issue was responsibly disclosed and addressed in Cursor version 1.3, with recommendations to update to the latest version to mitigate risks.