Briefs

A time-based blind SQL Injection vulnerability exists in the ARMember WordPress plugin (<= 4.0.60) due to insufficient input sanitization of the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive database information.

CVE-2026-7579 describes a vulnerability in AstrBotDevs AstrBot up to version 4.16.0 where improper handling of the `auth.py` file in the dashboard component leads to hardcoded credentials being exposed, enabling remote exploitation.

authd 0.6.0 contains a bug that leads to an incorrect primary group ID being set to the user's UID, potentially leading to local privilege escalation and incorrect file ownership, fixed in authd >= 0.6.4.

AVideo is vulnerable to unauthenticated information disclosure via the `plugin/CloneSite/cloneClient.json.php` endpoint, which echoes the local CloneSite shared secret (`$objClone->myKey`) in HTTP responses without authentication, enabling cross-site database dumps of the configured clone server.

AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to improper validation of user-supplied URLs that does not prevent HTTP redirects, and DNS rebinding due to discarded resolved IP addresses.

Avo framework version 3.x contains a critical Broken Access Control vulnerability in the ActionsController. Due to insecure action lookup logic, an authenticated user can execute any Action class on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. Version 3.31.2 remediates this issue.

Detects successful AWS `AssumeRoleWithWebIdentity` calls where the caller identity is a Kubernetes service account and the source autonomous system organization is not `Amazon.com, Inc.`, which may indicate a stolen or misused projected service-account token being exchanged for IAM credentials off-cluster.

Detection of attempts to delete AWS Bedrock model invocation logging configurations, potentially indicating an adversary trying to remove audit trails of model interactions after credential compromise, to hide malicious AI model usage.

Attackers modify AWS CloudTrail settings using UpdateTrail events to evade detection by disabling or limiting logging, as indicated by non-console user agents.

Detection of AWS CloudTrail StopLogging events indicates a potential defense evasion attempt by an attacker to operate stealthily within a compromised AWS environment and hinder incident response.

Detection of AWS CloudTrail `StopLogging` events indicating potential defense evasion by adversaries attempting to operate undetected within a compromised AWS environment by halting the logging of their malicious activities.

Attackers may attempt to evade detection by altering CloudTrail logging configurations, such as changing multi-regional logging to a single region, which impairs the logging of their activities and hinders incident response.

Detection of AWS CloudWatch log group deletions via CloudTrail logs, excluding console-based actions, indicating potential defense evasion by attackers attempting to hide their tracks.

An attacker may escalate privileges by associating a compromised EC2 instance with a more privileged IAM instance profile.

Detection of a sequence of AWS EC2 management API calls indicative of malicious modification of instance user data to execute arbitrary code upon instance restart, potentially leading to privilege escalation and persistence.

Successful creation of new or setting default versions of customer-managed IAM policies can indicate privilege escalation attempts by attackers modifying policy permissions.

Detection of AWS Network Access Control List (ACL) deletion via CloudTrail logs indicating potential unauthorized access or data exfiltration.

Detection of deletion of critical AWS Security Services configurations like CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules to evade detection, potentially leading to data breaches and unauthorized access.

Detection of adversaries attempting to impair or disable AWS security services by deleting resources across GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility.

Abuse of AWS STS AssumeRole can allow attackers to move laterally within an AWS environment and escalate privileges, potentially leading to unauthorized access to sensitive resources and data.

Detection of AWS STS GetFederationToken calls with AdministratorAccess in the request parameters, indicating potential privilege escalation or dangerous automation via broadly privileged temporary credentials.

An adversary may delete VPC Flow Logs in AWS EC2 by calling the DeleteFlowLogs API to evade detection and hinder forensic investigations.

Axios versions 0.19.0 through 1.13.6 are vulnerable to prototype pollution, allowing attackers to intercept and modify JSON responses, hijack HTTP requests, and exfiltrate sensitive data by polluting the Object.prototype with keys like `parseReviver` and `transport`.

AzuraCast is vulnerable to password reset poisoning due to unconditionally trusting the X-Forwarded-Host header, allowing an attacker to inject a malicious host into the password reset URL, exfiltrate the reset token, reset the victim's password, and disable 2FA, leading to account takeover.

AzuraCast is vulnerable to path traversal in the Flow.js media upload endpoint, allowing authenticated users with media permissions to write arbitrary files, leading to remote code execution via PHP webshell upload.

An adversary may disable multi-factor authentication (MFA) in Azure Active Directory to weaken an organization's security posture and bypass authentication mechanisms, potentially gaining unauthorized access to sensitive resources and maintaining persistence.

The analytic detects when the risk-based step-up consent security setting in Azure AD is disabled by monitoring Azure Active Directory logs for the 'Update authorization policy' operation and changes to the 'AllowUserConsentForRiskyApps' setting, potentially exposing organizations to OAuth phishing attacks.

An adversary adds a user to an Azure Active Directory administrative role to gain initial access, persist in the environment, escalate privileges, and potentially operate stealthily.

An adversary may remove an owner from an Azure application or service principal to weaken access controls, persist in the environment, or escalate privileges.

An attacker elevates their Azure subscription permissions to manage all subscriptions, potentially leading to unauthorized access and control over the environment.