Monthly
Fleet device management software versions prior to 4.81.1 allow malicious enrolled Windows devices to access Mobile Device Management (MDM) commands intended for other devices, potentially disclosing sensitive configuration data including WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. The vulnerability stems from improper authorization controls in Windows MDM command processing, affecting any organization using Fleet for Windows device management. Vendor-released patch: version 4.81.1.
Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.
Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. The vulnerability has been patched in version 1.5.1.
Whisper Money versions before 0.1.5 contain an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. An attacker with valid credentials can exploit this to manipulate financial data across multiple accounts without authorization. A patch is available in version 0.1.5 and should be applied immediately.
OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.
FreeBSD kernel fails to properly validate socket connection state when adding sockets to SO_REUSEPORT_LB load-balancing groups, allowing connected sockets to receive packets from arbitrary hosts instead of only from their connected peer. This breaks the fundamental contract of the connect(2) system call and sendto(2), creating a spoofing vulnerability where applications believe they are receiving authenticated peer traffic but may actually receive unsolicited packets from any host. The vulnerability affects remote attackers with user-level privileges on systems running vulnerable FreeBSD versions.
Spotipy is a Python library for the Spotify Web API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in OPC cardsystems Webapp Aufwertung 2.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in cifs-utils. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required. No vendor patch available.
Element Android is an Android Matrix Client provided by Element. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity.
Fleet device management software versions prior to 4.81.1 allow malicious enrolled Windows devices to access Mobile Device Management (MDM) commands intended for other devices, potentially disclosing sensitive configuration data including WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. The vulnerability stems from improper authorization controls in Windows MDM command processing, affecting any organization using Fleet for Windows device management. Vendor-released patch: version 4.81.1.
Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.
Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. The vulnerability has been patched in version 1.5.1.
Whisper Money versions before 0.1.5 contain an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. An attacker with valid credentials can exploit this to manipulate financial data across multiple accounts without authorization. A patch is available in version 0.1.5 and should be applied immediately.
OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.
FreeBSD kernel fails to properly validate socket connection state when adding sockets to SO_REUSEPORT_LB load-balancing groups, allowing connected sockets to receive packets from arbitrary hosts instead of only from their connected peer. This breaks the fundamental contract of the connect(2) system call and sendto(2), creating a spoofing vulnerability where applications believe they are receiving authenticated peer traffic but may actually receive unsolicited packets from any host. The vulnerability affects remote attackers with user-level privileges on systems running vulnerable FreeBSD versions.
Spotipy is a Python library for the Spotify Web API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in OPC cardsystems Webapp Aufwertung 2.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in cifs-utils. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required. No vendor patch available.
Element Android is an Android Matrix Client provided by Element. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity.