Vulnerabilities

Ontinue security researchers have discovered a “cross-tenant blind spot” in Microsoft Teams that allows attackers to bypass Microsoft Defender for Office 365 protections using the guest access feature. The problem is that when a user operates as a guest in an external tenant, their security protections are determined entirely by the hosting environment, and not by the security policies of their home organization. This fundamental architectural gap opens the door to attack scenarios where users become unprotected guests in a malicious environment controlled by the attacker. ...

Cybersecurity researchers have discovered vulnerable code in outdated Python packages that could pave the way for a supply chain compromise attack on the Python Package Index (PyPI) via a domain takeover technique. Software supply chain security company ReversingLabs identified the vulnerability in bootstrap files provided by a build and deployment automation tool called zc.buildout. The Risk of Takeover by Legacy Packages The problem lies in an old bootstrap script (bootstrap.py) that was used with zc.buildout to initialize the environment. This script had the ability to install the “Distribute” packaging utility, a short-lived fork of the Setuptools project. To do this, the Distribute installation script (distribute_setup.py) is downloaded from the python-distribute[.]org domain. ...

Mattermost Critical Vulnerability Summary A default configuration in Mattermost, an open source collaboration platform used by enterprises and government agencies, exposes deployments to critical Account Takeover risk. The vulnerability, identified as CVE-2025-12421, allows an attacker, via a single request, to hijack any user account on the system. Technical Details of CVE-2025-12421 The flaw lies in Mattermost’s authentication flow, specifically its handling of switching between different authentication methods (such as email/password to OAuth). The problem is in the /users/login/sso/code-exchange endpoint. ...

New research has revealed that organizations in sensitive industries, such as governments, telecommunications, and critical infrastructure, are exposing passwords and credentials by pasting them into online code formatting and validation tools such as JSONformatter and CodeBeautify. Cybersecurity company watchTowr Labs captured a data set of more than 80,000 files from these sites, uncovering thousands of usernames, passwords, repository authentication keys, Active Directory credentials, database credentials, cloud environment keys, LDAP configuration information, and API keys. ...