MongoDB
Company Details
Linkedin ID:
mongodbinc
Website:
Employees number:
7,631
Number of followers:
888,000
NAICS:
5112
Industry Type:
Homepage:
mongodb.com
IP Addresses:
0
Company ID:
MON_1237362
Scan Status:
In-progress
MongoDB Company CyberSecurity Posture
mongodb.com
Headquartered in New York, MongoDB's mission is to empower innovators to create, transform, and disrupt industries by unleashing the power of software and data. Built by developers, for developers, our modern database platform is a database with an integrated set of related services that allow development teams to address the growing requirements for today's wide variety of modern applications, all in a unified and consistent user experience. MongoDB has tens of thousands of customers in over 100 countries. The MongoDB database platform has been downloaded hundreds of millions of times since 2007, and there have been millions of builders trained through MongoDB University courses. To learn more, visit mongodb.com.
MongoDB A.I CyberSecurity Scoring
MongoDB Risk Score (AI oriented)Between 750 and 799
MongoDB
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
MongoDB Global Score (TPRM)XXXX
MongoDB
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
MongoDB Company CyberSecurity News & History
Past Incidents
2
Attack Types
2
MongoDB
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The database software provider MongoDB has revealed that its corporate systems were the target of a criminal hack and has issued a warning that contact details and metadata related to client accounts were among the stolen material. Later, the business acknowledged that the hackers had been within its networks for a while before being discovered. Lena Smart, the chief information security officer of MongoDB, informed clients that there was no known risk to the data stored by users of the company's popular MongoDB Atlas product. The business withheld any further details regarding the compromise.
MongoDB: MongoDB warns admins to patch severe vulnerability immediately
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: **MongoDB Urges Immediate Patching for High-Severity Memory-Read Vulnerability (CVE-2025-14847)** MongoDB has issued an urgent warning to administrators to patch a high-severity memory-read vulnerability (CVE-2025-14847) that could allow unauthenticated attackers to remotely exploit affected systems. The flaw, present in multiple MongoDB Server versions, enables low-complexity attacks without requiring user interaction. The vulnerability stems from improper handling of length parameter inconsistencies in the server’s zlib implementation, potentially exposing uninitialized heap memory. While initially suspected of enabling remote code execution (RCE), MongoDB has clarified that the flaw has not been officially classified as such. However, under certain conditions, it could still pose a risk of arbitrary code execution or device compromise. MongoDB recommends immediate upgrades to fixed versions—**8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30**—to mitigate the threat. For those unable to patch immediately, disabling zlib compression via server configuration is advised. **Affected Versions:** - MongoDB 8.2.0–8.2.3, 8.0.0–8.0.16, 7.0.0–7.0.26, 6.0.0–6.0.26, 5.0.0–5.0.31, 4.4.0–4.4.29 - All versions of MongoDB Server 4.2, 4.0, and 3.6 MongoDB, a widely used non-relational database management system, serves over **62,500 customers globally**, including numerous Fortune 500 companies. The advisory follows a 2021 CISA directive that flagged a separate MongoDB-related RCE flaw (CVE-2019-10758) as actively exploited, underscoring the platform’s ongoing security challenges.
MongoDB Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for MongoDB
Incidents vs Software Development Industry Average (This Year)
MongoDB has 63.93% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
MongoDB has 26.58% more incidents than the average of all companies with at least one recorded incident.
Incident Types MongoDB vs Software Development Industry Avg (This Year)
MongoDB reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 1 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — MongoDB (X = Date, Y = Severity)
MongoDB cyber incidents detection timeline including parent company and subsidiaries
MongoDB Company Subsidiaries
Headquartered in New York, MongoDB's mission is to empower innovators to create, transform, and disrupt industries by unleashing the power of software and data. Built by developers, for developers, our modern database platform is a database with an integrated set of related services that allow development teams to address the growing requirements for today's wide variety of modern applications, all in a unified and consistent user experience. MongoDB has tens of thousands of customers in over 100 countries. The MongoDB database platform has been downloaded hundreds of millions of times since 2007, and there have been millions of builders trained through MongoDB University courses. To learn more, visit mongodb.com.
Loading...
MongoDB Similar Companies
ByteDance
ByteDance is a global incubator of platforms at the cutting edge of commerce, content, entertainment and enterprise services - over 2.5bn people interact with ByteDance products including TikTok. Creation is the core of ByteDance's purpose. Our products are built to help imaginations thrive. This i
The Bosch Group is a leading global supplier of technology and services. It employs roughly 417,900 associates worldwide (as of December 31, 2024). According to preliminary figures, the company generated sales of 90.5 billion euros in 2024. Its operations are divided into four business sectors: Mobi
Bosch Global Software Technologies
With our unique ability to offer end-to-end solutions that connect the three pillars of IoT - Sensors, Software, and Services, we enable businesses to move from the traditional to the digital, or improve businesses by introducing a digital element in their products and processes. Now more than ever
VMware by Broadcom delivers software that unifies and streamlines hybrid cloud environments for the world’s most complex organizations. By combining public-cloud scale and agility with private-cloud security and performance, we empower our customers to modernize, optimize and protect their apps an
Intuit
Intuit is a global technology platform that helps our customers and communities overcome their most important financial challenges. Serving millions of customers worldwide with TurboTax, QuickBooks, Credit Karma and Mailchimp, we believe that everyone should have the opportunity to prosper and we wo
Microsoft
Every company has a mission. What's ours? To empower every person and every organization to achieve more. We believe technology can and should be a force for good and that meaningful innovation contributes to a brighter world in the future and today. Our culture doesn’t just encourage curiosity; it
Instacart, the leading grocery technology company in North America, works with grocers and retailers to transform how people shop. The company partners with more than 1,500 national, regional, and local retail banners to facilitate online shopping, delivery and pickup services from more than 85,000
Dassault Systèmes
Dassault Systèmes is a catalyst for human progress. Since 1981, the company has pioneered virtual worlds to improve real life for consumers, patients and citizens. With Dassault Systèmes’ 3DEXPERIENCE platform, 370,000 customers of all sizes, in all industries, can collaborate, imagine and create
Tencent
Tencent is a world-leading internet and technology company that develops innovative products and services to improve the quality of life of people around the world. Founded in 1998 with its headquarters in Shenzhen, China, Tencent's guiding principle is to use technology for good. Our communication
.png)
MongoDB CyberSecurity News
December 15, 2025 01:37 PM
16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records
In a major event that should make every professional pause and worry about their online privacy, cybersecurity researcher Bob Diachenko,...
December 15, 2025 11:30 AM
The Department of Know: MITRE’s weaknesses list, MongoDB LinkedIn breach, Coupang fallout
16TB MongoDB database exposes 4.3 billion records, MITRE shares 2025's top 25 most dangerous software weaknesses, Coupang fallout.
December 15, 2025 11:00 AM
Cybersecurity News: MongoDB records exposed, Apple WebKit patches, Coupang culprit identified
16TB MongoDB database exposes 4.3 billion records, Apple updates after discovery of WebKit flaws, Coupang data breach traced to ex-employee.
December 15, 2025 08:55 AM
Massive Unsecured Database Exposed 4.3 Billion Professional Records
Cybersecurity researchers have uncovered one of the largest data exposures in recent history: an unsecured 16TB MongoDB database containing...
December 15, 2025 08:34 AM
MongoDB records exposed, Apple WebKit patches, Coupang culprit identified
16TB MongoDB database exposes nearly 4.3 billion professional records. Apple posts updates after discovery of WebKit flaws.
November 30, 2025 03:10 PM
10 Best Stocks to Buy Now for the Week of December 1–5, 2025: AI, Cybersecurity and Retail in Focus
As the first trading week of December 2025 gets underway, U.S. stocks are hovering near record highs, powered by hopes that the Federal...
November 10, 2025 08:00 AM
MAD-CAT “Meow” Tool Enables Real-World Data Corruption Attacks
Available on GitHub, the tool targets six critical database platforms: MongoDB, Elasticsearch, Cassandra, Redis, CouchDB, and Hadoop HDFS.
October 08, 2025 07:00 AM
Hackers Actively Compromising Databases Using Legitimate Commands
A sophisticated new breed of ransomware attacks is leveraging legitimate database commands to compromise organizations worldwide,...
September 26, 2025 07:00 AM
MongoDB appoints industry veteran Aamir Sait to lead India business in the AI era
Learn how industry veteran Aamir Sait joins MongoDB to accelerate AI innovation in India. Explore the impact on leading organisations like...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
MongoDB CyberSecurity History Information
Official Website of MongoDB
The official website of MongoDB is http://www.mongodb.com.
MongoDB’s AI-Generated Cybersecurity Score
According to Rankiteo, MongoDB’s AI-generated cybersecurity score is 752, reflecting their Fair security posture.
How many security badges does MongoDB’ have ?
According to Rankiteo, MongoDB currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does MongoDB have SOC 2 Type 1 certification ?
According to Rankiteo, MongoDB is not certified under SOC 2 Type 1.
Does MongoDB have SOC 2 Type 2 certification ?
According to Rankiteo, MongoDB does not hold a SOC 2 Type 2 certification.
Does MongoDB comply with GDPR ?
According to Rankiteo, MongoDB is not listed as GDPR compliant.
Does MongoDB have PCI DSS certification ?
According to Rankiteo, MongoDB does not currently maintain PCI DSS compliance.
Does MongoDB comply with HIPAA ?
According to Rankiteo, MongoDB is not compliant with HIPAA regulations.
Does MongoDB have ISO 27001 certification ?
According to Rankiteo,MongoDB is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of MongoDB
MongoDB operates primarily in the Software Development industry.
Number of Employees at MongoDB
MongoDB employs approximately 7,631 people worldwide.
Subsidiaries Owned by MongoDB
MongoDB presently has no subsidiaries across any sectors.
MongoDB’s LinkedIn Followers
MongoDB’s official LinkedIn profile has approximately 888,000 followers.
NAICS Classification of MongoDB
MongoDB is classified under the NAICS code 5112, which corresponds to Software Publishers.
MongoDB’s Presence on Crunchbase
No, MongoDB does not have a profile on Crunchbase.
MongoDB’s Presence on LinkedIn
Yes, MongoDB maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/mongodbinc.
Cybersecurity Incidents Involving MongoDB
As of December 26, 2025, Rankiteo reports that MongoDB has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
MongoDB has an estimated 27,891 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at MongoDB ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach and Vulnerability.
How does MongoDB detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with upgrade to mongodb 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30; alternatively, disable zlib compression, and remediation measures with patching vulnerable versions, disabling zlib compression, and communication strategy with public advisory issued on mongodb's security page..
Incident Details
Can you provide details on each incident ?
Title: MongoDB Corporate Systems Hack
Description: MongoDB's corporate systems were targeted by a criminal hack, resulting in the theft of contact details and metadata related to client accounts. The hackers were within the networks for a while before being discovered.
Type: Data Breach
Title: MongoDB High-Severity Memory-Read Vulnerability (CVE-2025-14847)
Description: MongoDB has warned IT admins to immediately patch a high-severity memory-read vulnerability (CVE-2025-14847) that may be exploited by unauthenticated attackers remotely. The flaw affects multiple MongoDB and MongoDB Server versions and can be abused in low-complexity attacks without user interaction. An exploit of the Server's zlib implementation can return uninitialized heap memory without authentication. MongoDB strongly recommends upgrading to a fixed version or disabling zlib compression if immediate upgrade is not possible.
Date Publicly Disclosed: 2025-12-26
Type: Memory-Read Vulnerability
Attack Vector: Remote
Vulnerability Exploited: CVE-2025-14847 (Improper handling of length parameter inconsistency, CWE-130)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach MON22229124
Data Compromised: Contact details, Metadata related to client accounts
Systems Affected: corporate systems
Incident : Memory-Read Vulnerability MON1766765150
Data Compromised: Uninitialized heap memory
Systems Affected: MongoDB Server versions 8.2.0-8.2.3, 8.0.0-8.0.16, 7.0.0-7.0.26, 6.0.0-6.0.26, 5.0.0-5.0.31, 4.4.0-4.4.29, and all v4.2, v4.0, v3.6 versions
Operational Impact: Potential arbitrary code execution and control of targeted devices
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Contact Details, Metadata Related To Client Accounts, and Uninitialized heap memory.
Which entities were affected by each incident ?
Incident : Data Breach MON22229124
Entity Name: MongoDB
Entity Type: Database Software Provider
Industry: Technology
Incident : Memory-Read Vulnerability MON1766765150
Entity Name: MongoDB
Entity Type: Database Management System Provider
Industry: Technology
Location: Global
Size: 62,500+ customers worldwide, including dozens of Fortune 500 companies
Customers Affected: 62,500+ customers
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Memory-Read Vulnerability MON1766765150
Containment Measures: Upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30; alternatively, disable zlib compression
Remediation Measures: Patching vulnerable versions, disabling zlib compression
Communication Strategy: Public advisory issued on MongoDB's security page
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach MON22229124
Type of Data Compromised: Contact details, Metadata related to client accounts
Incident : Memory-Read Vulnerability MON1766765150
Type of Data Compromised: Uninitialized heap memory
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patching vulnerable versions, disabling zlib compression.
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by upgrade to mongodb 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30; alternatively and disable zlib compression.
Lessons Learned and Recommendations
What recommendations were made to prevent future incidents ?
Incident : Memory-Read Vulnerability MON1766765150
Recommendations: Immediately upgrade to patched versions or disable zlib compression. Monitor for unauthorized access or exploitation attempts.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Immediately upgrade to patched versions or disable zlib compression. Monitor for unauthorized access or exploitation attempts..
References
Where can I find more information about each incident ?
Incident : Memory-Read Vulnerability MON1766765150
Source: MongoDB Security Advisory
Date Accessed: 2025-12-26
Incident : Memory-Read Vulnerability MON1766765150
Source: CISA Known Exploited Vulnerabilities Catalog (CVE-2019-10758)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: MongoDB Security AdvisoryDate Accessed: 2025-12-26, and Source: CISA Known Exploited Vulnerabilities Catalog (CVE-2019-10758).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Memory-Read Vulnerability MON1766765150
Investigation Status: Ongoing
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public advisory issued on MongoDB's security page.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Memory-Read Vulnerability MON1766765150
Stakeholder Advisories: IT admins and MongoDB users advised to patch immediately.
Customer Advisories: MongoDB customers urged to upgrade or disable zlib compression to mitigate risk.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were IT admins and MongoDB users advised to patch immediately. and MongoDB customers urged to upgrade or disable zlib compression to mitigate risk..
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Memory-Read Vulnerability MON1766765150
Root Causes: Improper handling of length parameter inconsistency in zlib implementation (CWE-130)
Corrective Actions: Patching vulnerable versions, disabling zlib compression, and improving input validation in future releases.
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Patching vulnerable versions, disabling zlib compression, and improving input validation in future releases..
Additional Questions
Incident Details
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-12-26.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were contact details, metadata related to client accounts, and Uninitialized heap memory.
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was corporate systems and .
Response to the Incidents
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Upgrade to MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30; alternatively and disable zlib compression.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were contact details, metadata related to client accounts and Uninitialized heap memory.
Lessons Learned and Recommendations
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Immediately upgrade to patched versions or disable zlib compression. Monitor for unauthorized access or exploitation attempts..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are CISA Known Exploited Vulnerabilities Catalog (CVE-2019-10758) and MongoDB Security Advisory.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was IT admins and MongoDB users advised to patch immediately., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an MongoDB customers urged to upgrade or disable zlib compression to mitigate risk.
.png)
Latest Global CVEs (Not Company-Specific)
Description
A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
Risk Information
cvss2
Base: 9.0
Severity: LOW
AV:N/AC:L/Au:S/C:C/I:C/A:C
cvss3
Base: 8.8
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss4
Base: 7.4
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A vulnerability has been found in UTT 进取 512W up to 1.7.7-171114. This affects the function strcpy of the file /goform/APSecurity. The manipulation of the argument wepkey1 leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
Risk Information
cvss2
Base: 9.0
Severity: LOW
AV:N/AC:L/Au:S/C:C/I:C/A:C
cvss3
Base: 8.8
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss4
Base: 7.4
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 6.5
Severity: LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
cvss3
Base: 6.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A security vulnerability has been detected in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function submitOrderPayment of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java. Such manipulation of the argument orderSn leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 4.0
Severity: LOW
AV:N/AC:L/Au:S/C:N/I:P/A:N
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 4.0
Severity: LOW
AV:N/AC:L/Au:S/C:P/I:N/A:N
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=mongodbinc' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
