< ciso
brief />
Tag Banner

All news with #information disclosure tag

54 articles

EC2 exposes public AMI SSM parameter metadata

πŸ”Ž Amazon EC2 now includes the AWS Systems Manager (SSM) Parameter Store parameters linked to public AMIs directly in AMI metadata. When you describe a public AMI, the response returns the associated public SSM parameter, making discovery and reference simpler. This eliminates manual namespace searches and enables using the parameter as an alias to always resolve to the latest AMI version. The feature is available at no additional cost in all AWS commercial, China, and GovCloud Regions.
read more β†’

Citrix NetScaler memory overread patched, exploits spotted

πŸ”’ Citrix patched a new NetScaler memory overread, CVE-2026-8451, similar to prior CitrixBleed issues; researchers from watchTowr disclosed that malformed unauthenticated requests can leak protected process memory. While this flaw leaks smaller data fragments than earlier CitrixBleed faults, it still poses risk for chaining with memory-write exploits. Citrix also fixed additional high-severity memory overflows and an HTTP/2 DoS; customers are urged to upgrade and apply configuration mitigations.
read more β†’

Squidbleed: 29-Year-Old Squid Proxy Heap Over-Read

πŸ”Ž A heap over-read in the Squid web proxy can leak cleartext HTTP requests, including credentials and session tokens, to any user already allowed to use the same proxy. Disclosed by researchers at Calif.io in June and tracked as CVE-2026-47729 (Squidbleed), the bug stems from a 1997 FTP-parsing change and affects Squid default configurations that enable FTP and port 21. The flaw only exposes traffic Squid can inspect (cleartext HTTP or TLS-terminating setups); normal CONNECT-tunneled HTTPS remains opaque. Calif.io demonstrated extracting an Authorization header from a co-proxy user; public proof-of-concept code exists and mitigations include patching or simply disabling FTP.
read more β†’

Unauthenticated info disclosure in Gravity SMTP plugin

πŸ”’ Threat actors are exploiting an unauthenticated information-disclosure vulnerability in the WordPress plugin Gravity SMTP, present on about 100,000 sites. Tracked as CVE-2026-4020 and rated medium, the flaw affects versions 2.1.4 and older and was fixed in 2.1.5 (released March 17). Wordfence reports millions of blocked attempts and recommends admins patch and monitor requests to the exposed REST endpoint.
read more β†’

Rockwell CompactLogix CIP Sequence and Info Leak

πŸ”’ A security advisory details vulnerabilities in Rockwell Automation CompactLogix 1769 controllers where missing validation of CIP sequence numbers and source IPs and exposure of CIP Connection IDs on the device web diagnostics page can be abused to trigger denial-of-service conditions. Rockwell recommends updating affected devices to firmware V38.011 and refers users to advisory SD1776 for mitigation steps. CISA advises minimizing network exposure, placing control systems behind firewalls, using secure remote access like VPNs, and following standard ICS defensive practices and reporting procedures.
read more β†’

FROST attack lets websites fingerprint drives

πŸ›‘οΈ Researchers at Graz University of Technology describe FROST, a browser-based timing attack that uses the Origin Private File System (OPFS) to infer which sites a user visits and which apps they open. The exploit runs purely in JavaScript, requires no native code or permissions, and sharpens timer resolution via cross-origin isolation. On macOS it achieved high fingerprinting accuracy, while mitigations remain limited and browser vendors have not implemented firm fixes.
read more β†’

ABB AC500 V2 Modbus Buffer Over-read Advisory

πŸ›‘οΈ The advisory details a buffer over-read vulnerability in ABB AC500 V2 devices that can cause Modbus server responses to include fragments of earlier telegrams. Affected devices running older firmware may return invalid or appended data when presented with unsupported Modbus function codes. ABB issued a fix in AC500 V2 firmware version 2.5.3 (2016) and later; operators are urged to update and minimize network exposure. CISA republished the vendor advisory to raise visibility and recommends isolating control networks and using secure remote access.
read more β†’

Nine-Year Linux Kernel Flaw Lets Local Users Gain Root

πŸ”’ Qualys disclosed a nine-year-old Linux kernel vulnerability tracked as CVE-2026-46333 (ssh-keysign-pwn) that stems from the __ptrace_may_access() code path. The flaw can allow an unprivileged local user to disclose sensitive files such as /etc/shadow and SSH host private keys and to execute arbitrary commands as root on default installs of Debian, Fedora, and Ubuntu. A public proof-of-concept appeared after a kernel commit; vendors have issued patches and recommend raising kernel.yama.ptrace_scope to 2 as a temporary mitigation.
read more β†’

Schneider Electric EcoStruxure HVAC Sensitive Data Risk

πŸ”’ Schneider Electric has identified a CWE-312 vulnerability in EcoStruxure Machine Expert HVAC, a programming tool for Modicon M171-M172 controllers, that can expose sensitive information including protected source code. Version 1.10.0 includes a vendor-provided fix and users are urged to update. The advisory also reiterates standard ICS security best practices to isolate control networks and limit exposure.
read more β†’

ZKTeco CCTV Cameras Vulnerability: Auth Bypass Patch

πŸ“· An undocumented configuration export port on certain ZKTeco CCTV camera models permits unauthenticated access to sensitive device information. The exposed data can include running services and camera account credentials, creating a risk of information disclosure and unauthorized access. ZKTeco released a firmware update V5.0.1.2.20260421 to remediate the issue and urges immediate upgrading. CISA recommends minimizing network exposure, using firewalls and segmentation, and restricting Internet access to control devices.
read more β†’

ABB B&R PVI client logs sensitive data vulnerability

πŸ”’ ABB has released an update addressing a logging issue in its B&R PVI client that could expose sensitive information. Affected versions are PVI <6.5.0>; the issue is fixed in PVI 6.5.0 (CVE-2026-0936). The vulnerability can allow an authenticated local attacker to read credentials written to client-side logs, although logging is disabled by default. Customers should apply the update promptly and limit client logging to troubleshooting only.
read more β†’

Apple fixes iOS bug that retained deleted notifications

πŸ”’ Apple released patches for iOS and iPadOS to fix a Notification Services logging flaw that could retain notifications marked for deletion. Tracked as CVE-2026-28950, the issue was addressed by improving data redaction so deleted alerts are no longer preserved. Affected models were fixed in iOS 26.4.2/iPadOS 26.4.2 and in iOS/iPadOS 18.7.8 for other devices. The update follows reporting that copies of Signal messages were forensically extracted from push notification storage.
read more β†’

Critical Azure SRE Agent Flaw Allowed Silent Eavesdropping

πŸ”’ A high-severity authentication flaw in Azure SRE Agent exposed agent activity streams to unauthorized tenants, researcher Yanir Tsarimi of Enclave AI reported. Tracked as CVE-2026-32173 with a CVSS score of 8.6, the vulnerability stemmed from an Entra ID app registration configured as multi-tenant and a WebSocket hub that accepted tokens without tenant authorization checks. The hub broadcast agent prompts, internal reasoning, commands and outputs to all connected clients. Microsoft applied a server-side fix and says no customer action is required, but organizations that ran the agent during preview should review any credentials or sensitive data that may have traversed agent interactions.
read more β†’

Bank Pixel Redirects Logged-In Users to Temu Tracker

πŸ” A Taboola tracking pixel approved by a bank silently redirected authenticated users to a Temu tracking endpoint without the bank's knowledge, user consent, or any security control flagging a violation. Reflectiz discovered the chain during a February 2026 audit: an initial GET to sync.taboola.com returned a 302 to a temu.com pixel and included Access-Control-Allow-Credentials: true, enabling credentialed cross-origin requests. Conventional tools missed the behavior because they validate the declared script origin rather than runtime redirect destinations. Organizations should inspect browser runtime behavior, tighten CSPs, and consider sandboxing third-party scripts on authenticated pages.
read more β†’

LinkedIn's Hidden Script Scans 6,000+ Chrome Extensions

πŸ” LinkedIn was found to inject hidden JavaScript that fingerprints visitors' browsers, testing for over 6,000 Chrome extensions and collecting device and system details such as CPU cores, memory, screen resolution, timezone, battery status, audio information, and storage features. Researchers say the script links extension presence to identifiable profiles; LinkedIn confirms extension detection but insists it is used to stop scraping and protect platform stability. BleepingComputer observed a randomized script file performing the checks but could not verify claims about downstream sharing or commercial use.
read more β†’

LinkedIn scans 6,000+ Chrome extensions, gathers device info

πŸ” A new report named BrowserGate alleges that LinkedIn injects hidden JavaScript into user sessions to probe browsers for installed extensions and collect device characteristics. BleepingComputer independently observed a randomized script that attempted to detect 6,236 extensions by checking extension resource URLs and also harvested CPU, memory, screen, timezone, battery, audio, and storage details. LinkedIn says it looks for extensions that scrape content or violate its Terms and uses detection to inform defenses and enforcement, while the report warns this scanning could map competitors' customers and enable profiling. The use and sharing of the collected data have not been independently verified.
read more β†’

Vertex AI P4SA Permissions Flaw Exposes Google Cloud Data

πŸ”’ Unit 42 disclosed a permissions flaw in Vertex AI where the default Per-Project, Per-Product Service Agent (P4SA) can expose credentials and OAuth scopes via the metadata service. Researchers showed attackers could use those credentials to pivot into customer projects, read Google Cloud Storage buckets, and download images from restricted Artifact Registry repositories. Google updated docs and advises using BYOSA and least-privilege scopes; organizations should validate agent permissions before deployment.
read more β†’

Lloyds Glitch Exposed Personal Data of 447,936 Customers

⚠️ A software defect introduced during a routine overnight update on 12 March at Lloyds Banking Group briefly exposed transactions and account information belonging to as many as 447,936 customers across Lloyds, Halifax and Bank of Scotland mobile apps. Approximately 114,182 users clicked transactions that displayed other customers' details, which could include payment references and national insurance numbers. The bank reported the issue to regulators within required timeframes, paid £139,000 to 3,625 customers in compensation, and said it found no evidence of financial loss or fraud.
read more β†’

Automated Logic WebCTRL BACnet Vulnerabilities β€” Mar 2026

πŸ”’ CISA warns of multiple high‑severity vulnerabilities in Automated Logic WebCTRL servers that could allow attackers to read, intercept, or modify BACnet communications. Known affected releases include versions earlier than v8.5, and WebCTRL 7 is end‑of‑life and unsupported. The advisory describes three CVEs β€” CVE-2026-25086 (port binding impersonation), CVE-2026-32666 (BACnet packet spoofing), and CVE-2026-24060 (cleartext transmission, CVSS 9.1) β€” and urges operators to upgrade to supported releases with BACnet/SC, implement TLS/mutual authentication where available, and apply network segmentation, access controls, and vendor secure configuration best practices to reduce exposure.
read more β†’

Schneider Electric EcoStruxure DCE: Hard-Coded Credentials

πŸ”’ Schneider Electric disclosed a hard‑coded credentials vulnerability in EcoStruxure IT Data Center Expert (DCE) that can lead to information disclosure and remote compromise when the SOCKS Proxy feature is enabled. Exploitation requires administrative access plus knowledge of PostgreSQL credentials; SOCKS Proxy is disabled by default. The issue is tracked as CVE‑2025‑13957 with a CVSS v3.1 base score of 7.2. Administrators should apply vendor updates or implement interim mitigations per the vendor handbook.
read more β†’