All news with #insecure direct object reference tag

🔒 Siemens reports that SIMATIC HMI Unified Comfort Panels before V21.0 are vulnerable to an unauthenticated access issue that exposes the embedded web browser via the Control Panel help link when access protections are not applied. The flaw is attributed to insecure default initialization (CWE-1188) and carries a vendor CVSS v3 score of 7.7. Siemens recommends updating affected panels to V21 or later, disabling the taskbar, and following operational security guidance to enable Control Panel access protection and change runtime autostart settings.

🔒 Dutch police in The Netherlands arrested a 40-year-old man after officers inadvertently sent him a link that allowed downloading of internal documents rather than uploading images. The recipient downloaded confidential files, refused to delete them, and reportedly sought a 'reward,' prompting charges of computervredebreuk (unauthorised access). Authorities searched the suspect's home, seized devices, and reported a data breach while investigating how the error occurred.

🔒 Spain's Ministry of Science partially shut down several IT systems after reporting a "technical incident" that suspended citizen- and company-facing services. A threat actor using the alias GordonFreeman claims to have exploited an IDOR vulnerability to obtain full-admin credentials and posted samples of personal records, email addresses, enrollment applications and screenshots of official paperwork. The forum post has been taken offline and the leaked data has not been independently verified. The ministry said it will extend affected deadlines while assessing the incident.

⚠️ Moltbot, an open-source local AI assistant, has become popular for deep system integration but is being deployed insecurely in enterprise environments, risking exposure of API keys, OAuth tokens, conversation history, and credentials. Researcher Jamieson O'Reilly and others found hundreds of exposed admin interfaces caused by reverse proxy misconfigurations that auto-approve "local" connections, allowing unauthenticated access and command execution. A supply-chain proof-of-concept showed a malicious Skill could rapidly reach developers. Vendors recommend isolating instances in VMs and enforcing strict firewall and access controls.

🔒 Microsoft has quietly altered how Windows displays .lnk shortcut Targets, addressing a long‑abused technique attackers used to hide malicious commands in trailing whitespace. The issue (tracked as CVE-2025-9491) stemmed from Explorer showing only the first 260 characters of a Target field, allowing long PowerShell or BAT scripts to be concealed. Third‑party vendor 0patch acknowledges the UI change but says Microsoft’s fix doesn't prevent execution and offers a micropatch that truncates long Targets and warns users.

⚠️ CISA warns of an authorization bypass (IDOR) in the SolisCloud Monitoring Platform affecting Cloud API and Device Control API v1 and v2. An authenticated user can access detailed plant data by manipulating the plant_id parameter, exposing sensitive information. The issue is tracked as CVE-2025-13932 with a CVSS v4 score of 8.3 and is remotely exploitable with low complexity. SolisCloud has not engaged with CISA; users should limit network exposure and follow CISA mitigation guidance.

🔒 Johnson Controls reported a Direct Request (Forced Browsing) vulnerability (CVE-2025-26381) in the OpenBlue Mobile Web Application for OpenBlue Workplace. Versions 2025.1.2 and earlier may allow remote attackers to gain unauthorized access to sensitive information; CISA cites a CVSS v3.1 score of 9.3 and a CVSS v4 score of 6.5. Johnson Controls recommends upgrading to patch level 2025.1.3 when available; until then, administrators should disable the mobile app in IIS or use the primary Workplace web interface as a mitigation.

🔒 A vulnerability in the American Archive of Public Broadcasting allowed protected and private media to be downloaded for years by abusing an IDOR flaw. A simple Tampermonkey script could alter media ID parameters in background fetch/XHR calls and bypass access controls, returning content instead of a '403 Forbidden'. The issue was reported to AAPB, confirmed by a spokesperson, and patched within 48 hours, but the full scope of prior access remains unknown.