All news with #information disclosure tag

⚠️ AVEVA reported that PI to CONNECT Agent (<=v2.4.2520) contains a vulnerability that can record sensitive proxy connection details in event logs. An attacker with local Event Log Reader (S-1-5-32-573) privileges could extract proxy URLs and credentials from those logs and gain unauthorized access to the proxy server. The issue is not remotely exploitable; the vendor’s fix is v2.5.2790 or later. Users should review and sanitize logs, rotate proxy credentials, avoid plain-text passwords in proxy URLs, and restrict Event Log Reader privileges.

🔍 A security researcher published evidence that some Instagram private profiles returned links to user photos and captions inside the page HTML, making them visible to unauthenticated visitors on certain mobile devices. Researcher Jatin Banga showed the polaris_timeline_connection JSON object embedded encoded CDN links pointing to images that should have been private. In tests of private accounts he controlled or had permission to use, about 28% exposed captions and CDN links. Banga reported the issue to Meta on October 12, 2025; Meta later closed the report as "not applicable" and did not provide a root-cause analysis, though the behavior ceased roughly October 16.

⚠️ Schneider Electric published an advisory about a side‑channel vulnerability disclosed by Intel (CVE-2018-12130) that affects EcoStruxure Foxboro DCS Virtualization Server (V91) and Standard Workstation (H92). An authenticated user with local access could exploit the CPU issue to enable information disclosure, risking loss of system functionality or unauthorized access. Schneider Electric directs customers to migrate to updated server (V95) and workstation (Dell D96) hardware or, if immediate migration is not feasible, to apply BIOS and OS security patches and follow layered defense-in-depth recommendations.

🔴 On Dec. 19, 2025, MongoDB disclosed MongoBleed (CVE-2025-14847), a critical unauthenticated memory-disclosure in MongoDB Server stemming from handling of zlib-compressed wire messages. An attacker with network access to TCP/27017 can cause the server to return heap memory that may include cleartext credentials, API keys, session tokens, and PII. A public PoC and active exploitation were observed; MongoDB Atlas was auto-patched while self-hosted deployments require immediate manual updates and mitigations such as disabling zlib compression and restricting inbound access.

🔒 Researchers showed that tapping what looks like a Telegram username can trigger the app to auto-connect to a proxy and reveal your real IP address. The issue arises from how MTProto proxy links (t.me/proxy?...) are parsed on Android and iOS: the client performs an automatic test connection before the proxy is added. Attackers can host malicious proxies and disguise links as benign usernames or URLs to log IPs for location, profiling, or DDoS. Telegram says IP visibility is not unique to its platform and will add warnings for proxy links; users should be cautious with unfamiliar t.me links.

🔐 A backup of the BreachForums MyBB users table and an associated PGP key were published in a 7Zip archive, exposing 323,988 account records and administrator key material. The leaked archive includes a databoose.sql users table and a passphrase-protected PGP private key; without the passphrase the key cannot be used to sign messages. Analysis found most IPs were set to a local loopback (127.0.0.9), but roughly 70,296 records map to public IPs, creating OPSEC risks for affected users and potential intelligence value for law enforcement. The forum administrator acknowledged the leak, saying the files were temporarily left in an unsecured folder during recovery and recommending disposable email addresses for members.

🔒 A high-severity vulnerability in MongoDB can allow unauthenticated clients to read uninitialized heap memory by exploiting mismatched length fields in zlib-compressed protocol headers. Tracked as CVE-2025-14847 with a CVSS score of 8.7, the flaw stems from improper handling of inconsistent length parameters. It affects a broad set of releases from 3.6 through 8.2, and MongoDB has published fixes (including 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32 and 4.4.30); administrators unable to upgrade immediately are advised to disable zlib compression or restrict compressors to snappy or zstd.

⚠️ The React team released patches for three vulnerabilities affecting React Server Components that could enable pre-authentication denial-of-service and disclosure of Server Function source code. Two high-severity DoS issues arise from unsafe deserialization and an incomplete remediation, while a lower-severity information-leak bug can return function source when arguments are stringified. The flaws impact react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack across multiple 19.x releases. Users are urged to upgrade to 19.0.3, 19.1.4, or 19.2.3 immediately, especially given active exploration of a related critical bug.

⚠️ The PCI Special Interest Group (PCI-SIG) disclosed three vulnerabilities in the PCIe Integrity and Data Encryption (IDE) ECN that affect PCIe Base Specification Revision 5.0 and later, potentially allowing reordering, completion timeout redirection, and delayed posted redirection of encrypted PCIe traffic. The issues, tracked as CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614, could permit information disclosure, privilege escalation, or denial of service if an attacker gains local or low-level access. Intel and AMD products are listed as affected; vendors should provide firmware updates and users must apply patches and follow PCIe 6.0 Erratum #1 guidance.

🔒 A critical XML External Entity (XXE) vulnerability, tracked as CVE-2025-66516, has been disclosed in Apache Tika and carries a CVSS score of 10.0. The flaw allows XXE via a crafted XFA file inside PDFs and affects tika-core, tika-parser-pdf-module, and tika-parsers across multiple versions. Users are strongly advised to upgrade to the patched releases immediately to mitigate file disclosure and potential remote code execution.

🔍 Researchers from the University of Vienna and SBA Research found a flaw in WhatsApp's contact discovery that let them enumerate valid numbers globally, confirming about 3.5 billion registered accounts. By abusing the lookup mechanism they could probe numbers across 245 countries at rates exceeding 100 million checks per hour from a single IP. The technique also exposed public (non-private) keys, timestamps, profile photos and About text, enabling inference of device OS, account age and linked secondary devices, prompting Meta to add rate limits and tighter visibility rules.

⚠ Siemens warns that COMOS contains two high‑severity vulnerabilities — CVE-2023-45133 (CVSS 9.3) and CVE-2024-0056 (CVSS 8.7) — which can enable remote code execution or expose sensitive information. Siemens has released a patch in COMOS V10.4.5 and advises operators to update promptly. Implement network segmentation, avoid direct internet exposure of control systems, and follow Siemens and CISA guidance for secure remote access and system hardening.

🚨 Balancer announced an exploit of its V2 Compostable Stable Pools on Ethereum at 07:48 UTC that resulted in reported losses exceeding $128 million. Initial analysis from GoPlus Security points to a precision rounding error in the Vault’s swap calculations that an attacker chained via batchSwap, while other researchers suggest improper authorization and callback handling in V2 vaults. Balancer says the issue is isolated to V2 Compostable Stable Pools, with V3 and other pools unaffected, and the team is working with security researchers on a full post‑mortem. Users are warned to remain vigilant for scams and phishing attempts following the incident.

🔒 Microsoft has issued updates to address three previously unknown flaws in the Windows Graphics Device Interface (GDI) that could permit remote code execution and information disclosure. The issues, rooted in malformed EMF/EMF+ records, cause out-of-bounds memory access in GdiPlus.dll and gdi32full.dll during image rendering, thumbnailing and print initialization. Patches were released across the May, July and August 2025 Patch Tuesdays (KB5058411, KB5062553, KB5063878); administrators should apply updates promptly and avoid opening untrusted EMF files.

⚠️ CISA disclosed critical vulnerabilities in Vertikal Systems Hospital Manager Backend Services that were fixed as of September 19, 2025. One flaw exposed the unauthenticated ASP.NET tracing endpoint (/trace.axd), allowing disclosure of request traces, headers, session identifiers, and internal paths. A second flaw returned verbose ASP.NET error pages for invalid WebResource.axd requests, revealing framework versions, stack traces, and server paths. CVE-2025-54459 and CVE-2025-61959 were assigned; organizations should apply vendor updates and follow network isolation best practices.

🔎 Google Threat Intelligence Group (GTIG) observed coordinated pro-Russia information operations responding to reported Russian drone incursions into Polish airspace on Sept. 9–10, 2025. Actors amplified narratives denying Russian culpability, blaming NATO or Poland, and seeking to erode domestic and international support for Ukraine. GTIG documented activity across multiple networks and languages and noted these operations leveraged both long-standing and recently developed influence infrastructure.

⚠️ Researchers have disclosed Pixnapping, a pixel-stealing side-channel that can extract 2FA codes, Maps timelines, and other sensitive UI contents from Android apps by abusing GPU compression together with Android's window-blur and intent mechanisms. The proof-of-concept captures codes in under 30 seconds on several Google and Samsung devices running Android 13–16 without requiring special manifest permissions. Google tracked the issue as CVE-2025-48561 (CVSS 5.5) and issued mitigations in the September 2025 Android Security Bulletin, but researchers say a workaround can re-enable the technique and that some app-list bypass behavior will not be fixed.

⚠️ Oracle released an emergency security alert on October 11 for CVE-2025-61884, a 7.5 CVSS information-disclosure flaw in the Runtime UI component of E-Business Suite (versions 12.2.3–12.2.14). The vulnerability allows unauthenticated remote attackers with network access to steal sensitive data. The patch arrives one week after an emergency fix for a Cl0p-exploited RCE, and experts urge administrators to apply updates, hunt for prior compromise, and restrict outbound traffic from EBS servers.

🔒 Oracle released an emergency update to address CVE-2025-61884, an information disclosure flaw in the E-Business Suite Runtime UI that affects versions 12.2.3 through 12.2.14. The vulnerability is remotely exploitable without authentication and has been assigned a CVSS base score of 7.5, meaning a successful exploit could expose sensitive resources. Oracle strongly urges customers to apply the out-of-band patch or recommended mitigations immediately, particularly for internet-facing instances.

🖱️ Researchers at the University of California, Irvine demonstrated a proof-of-concept called Mic-E-Mouse, showing that high-end optical mice can pick up desk-transmitted voice vibrations and be used to reconstruct nearby conversations. The attack can be executed on PC, Mac and Linux by non-privileged user-space programs, and Wiener and neural-network filtering was used to enhance muffled signals into intelligible speech. Practical limits include a quiet environment, thin desks (≈3 cm or less), mostly stationary mice and very high-DPI hardware; placing a rubber pad or mouse mat under the mouse prevents the leakage.