BeyondTrust PRA connection takeover - CVE-2025-0217

Posted by Paul Szabo via Fulldisclosure on May 06

=== Details ========================================================

Vendor: BeyondTrust
Product: Privileged Remote Access (PRA)
Subject: PRA connection takeover
CVE ID: CVE-2025-0217
CVSS: 7.8 (high) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Author: Paul Szabo <psz () maths usyd edu au>
Date: 2025-05-05

=== Introduction ===================================================

I noticed an issue in
BeyondTrust Privileged...

[webapps] Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)

Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)

[webapps] Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)

Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)

[webapps] ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)

ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)

[local] Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing

Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing

[local] ZTE ZXV10 H201L - RCE via authentication bypass

ZTE ZXV10 H201L - RCE via authentication bypass

[local] Daikin Security Gateway 14 - Remote Password Reset

Daikin Security Gateway 14 - Remote Password Reset

[local] Microsoft - NTLM Hash Disclosure Spoofing (library-ms)

Microsoft - NTLM Hash Disclosure Spoofing (library-ms)

Microsoft Windows .XRM-MS File / NTLM Information Disclosure Spoofing

Posted by hyp3rlinx on May 01

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: https://hyp3rlinx.altervista.org/advisories/Microsoft_Windows_xrm-ms_File_NTLM-Hash_Disclosure.txt
[+] x.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
.xrm-ms File Type

[Vulnerability Type]
NTLM Hash Disclosure (Spoofing)

[Video URL PoC]
https://www.youtube.com/watch?v=d5U_krLQbNY

[CVE Reference]
N/A

[Security Issue]
The...

[local] unzip-stream 0.3.1 - Arbitrary File Write

unzip-stream 0.3.1 - Arbitrary File Write

[IWCC 2025] CfP: 14th International Workshop on Cyber Crime - Ghent, Belgium, Aug 11-14, 2025

Posted by Artur Janicki via Fulldisclosure on Apr 26

[APOLOGIES FOR CROSS-POSTING]

CALL FOR PAPERS
14th International Workshop on Cyber Crime (IWCC 2025 -
https://2025.ares-conference.eu/program/iwcc/)
to be held in conjunction with the 20th International Conference on
Availability, Reliability and Security (ARES 2025 -
http://2025.ares-conference.eu)

August 11-14, 2025, Ghent, Belgium

IMPORTANT DATES
Submission Deadline May 12, 2025
Author Notification May 30, 2025
Proceedings Version...

Inedo ProGet Insecure Reflection and CSRF Vulnerabilities

Posted by Daniel Owens via Fulldisclosure on Apr 26

Inedo ProGet 2024.22 and below are vulnerable to unauthenticated denial of service and information disclosure attacks
(among other things) because the information system directly exposes the C# reflection used during the request-action
mapping process and fails to properly protect certain pathways. These are amplified by cross-site request forgery
vulnerabilities (CSRF) due to the application's failure to verify the HTTP request method...

Ruby on Rails Cross-Site Request Forgery

Posted by Daniel Owens via Fulldisclosure on Apr 26

Good morning. All current versions and all versions since the 2022/2023 "fix" to the Rails cross-site request forgery
(CSRF) protections continue to be vulnerable to the same attacks as the 2022 implementation. Currently, Rails
generates "authenticity tokens" and "csrf tokens" using a random "one time pad" (OTP). This random value is then XORed
with the "raw token" (which can take one of two...

Microsoft ".library-ms" File / NTLM Information Disclosure (Resurrected 2025)

Posted by hyp3rlinx on Apr 26

[-] Microsoft ".library-ms" File / NTLM Information Disclosure
Spoofing (Resurrected 2025) / CVE-2025-24054

[+] John Page (aka hyp3rlinx)
[+] x.com/hyp3rlinx
[+] ISR: ApparitionSec

Back in 2018, I reported a ".library-ms" File NTLM information
disclosure vulnerability to MSRC and was told "it was not severe
enough", that being said I post it anyways. Seven years passed, until
other researchers re-reported it....

HNS-2025-10 - HN Security Advisory - Local privilege escalation in Zyxel uOS

Posted by Marco Ivaldi on Apr 23

Hi,

Please find attached a security advisory that describes some
vulnerabilities we discovered in the Zyxel uOS Linux-based operating
system.

* Title: Local privilege escalation via Zyxel fermion-wrapper
* Product: USG FLEX H Series
* OS: Zyxel uOS V1.31 (and potentially earlier versions)
* Author: Marco Ivaldi <marco.ivaldi () hnsecurity it>
* Date: 2025-04-23
* CVE ID: CVE-2025-1731 (see discussion in "5 - Remediation" below)...

APPLE-SA-04-16-2025-4 visionOS 2.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-4 visionOS 2.4.1

visionOS 2.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122402.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: Apple Vision Pro
Impact: Processing an audio stream in a maliciously crafted media file
may result in...

APPLE-SA-04-16-2025-3 tvOS 18.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-3 tvOS 18.4.1

tvOS 18.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122401.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing an audio stream in a maliciously crafted media file...

APPLE-SA-04-16-2025-2 macOS Sequoia 15.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-2 macOS Sequoia 15.4.1

macOS Sequoia 15.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122400.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: macOS Sequoia
Impact: Processing an audio stream in a maliciously crafted media file
may...

APPLE-SA-04-16-2025-1 iOS 18.4.1 and iPadOS 18.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-1 iOS 18.4.1 and iPadOS 18.4.1

iOS 18.4.1 and iPadOS 18.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122282.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch
3rd generation and...

Business Logic Flaw: Price Manipulation - AlegroCartv1.2.9

Posted by Andrey Stoykov on Apr 23

# Exploit Title: Business Logic Flaw: Price Manipulation - alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Business Logic Flaw: Price Manipulation #1:

Steps to Reproduce:

1. Visit the store and add a product
2. Intercept the HTTP GET request and add negative value to the "quantity"
parameter

// HTTP GET request

GET...

Stored XSS in "Message" Functionality - AlegroCartv1.2.9

Posted by Andrey Stoykov on Apr 23

# Exploit Title: Stored XSS in "Message" Functionality - alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS #1:

Steps to Reproduce:

1. Login as demonstrator account and visit "Customers" > "Newsletter"
2. In "Message" use the following XSS payload

<iframe srcdoc="<img src=x...

XSS via SVG Image Upload - AlegroCartv1.2.9

Posted by Andrey Stoykov on Apr 23

# Exploit Title: XSS via SVG Image Upload - alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

XSS via SVG Image Upload:

Steps to Reproduce:

1. Visit http://192.168.58.129/alegrocart/administrator/?controller=download
2. Upload SVG image file with the contents below
3. Intercept the POST request and change the Content-Type to "Content-Type:...

BBOT 2.1.0 - Local Privilege Escalation via Malicious Module Execution

Posted by Housma mardini on Apr 23

Hi Full Disclosure,

I'd like to share a local privilege escalation technique involving BBOT
(Bighuge BLS OSINT Tool) when misconfigured with sudo access.

---

Exploit Title: BBOT 2.1.0 - Local Privilege Escalation via Malicious Module
Execution
Date: 2025-04-16
Exploit Author: Huseyin Mardinli
Vendor Homepage: https://github.com/blacklanternsecurity/bbot
Version: 2.1.0.4939rc (tested)
Tested on: Kali Linux Rolling (2025.1)
CVE: N/A...

[local] tar-fs 3.0.0 - Arbitrary File Write/Overwrite

tar-fs 3.0.0 - Arbitrary File Write/Overwrite

[webapps] WordPress Core 6.2 - Directory Traversal

WordPress Core 6.2 - Directory Traversal

[local] Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege

Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege

[remote] OpenSSH server (sshd) 9.8p1 - Race Condition

OpenSSH server (sshd) 9.8p1 - Race Condition

[remote] WonderCMS 3.4.2 - Remote Code Execution (RCE)

WonderCMS 3.4.2 - Remote Code Execution (RCE)

[remote] code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)

code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)

[remote] Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution

Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution

[local] Microsoft Windows 11 - Kernel Privilege Escalation

Microsoft Windows 11 - Kernel Privilege Escalation

[webapps] FoxCMS 1.2.5 - Remote Code Execution (RCE)

FoxCMS 1.2.5 - Remote Code Execution (RCE)

[webapps] Drupal 11.x-dev - Full Path Disclosure

Drupal 11.x-dev - Full Path Disclosure

[webapps] UJCMS 9.6.3 - User Enumeration via IDOR

UJCMS 9.6.3 - User Enumeration via IDOR

[webapps] KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection

KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection

[webapps] Tatsu 3.3.11 - Unauthenticated RCE

Tatsu 3.3.11 - Unauthenticated RCE

[webapps] Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

[webapps] Apache Commons Text 1.10.0 - Remote Code Execution

Apache Commons Text 1.10.0 - Remote Code Execution

[remote] Langflow 1.3.0 - Remote Code Execution (RCE)

Langflow 1.3.0 - Remote Code Execution (RCE)

[webapps] Inventio Lite 4 - SQL Injection

Inventio Lite 4 - SQL Injection

[webapps] Blood Bank & Donor Management System 2.4 - CSRF Improper Input Validation

Blood Bank & Donor Management System 2.4 - CSRF Improper Input Validation

[local] AnyDesk 9.0.1 - Unquoted Service Path

AnyDesk 9.0.1 - Unquoted Service Path

[webapps] compop.ca 3.5.3 - Arbitrary code Execution

compop.ca 3.5.3 - Arbitrary code Execution

[webapps] Usermin 2.100 - Username Enumeration

Usermin 2.100 - Username Enumeration

[hardware] ABB Cylon Aspect 3.08.02 (deployStart.php) - Unauthenticated Command Execution

ABB Cylon Aspect 3.08.02 (deployStart.php) - Unauthenticated Command Execution

[hardware] ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) - Authenticated Path Traversal

ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) - Authenticated Path Traversal

[webapps] Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE)

Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE)

[webapps] IBMi Navigator 7.5 - HTTP Security Token Bypass

IBMi Navigator 7.5 - HTTP Security Token Bypass

[remote] TP-Link VN020 F3v(T) TT_V6.2.1021 - Buffer Overflow Memory Corruption

TP-Link VN020 F3v(T) TT_V6.2.1021 - Buffer Overflow Memory Corruption

[remote] TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)

TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)

[hardware] ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS

ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS

[webapps] phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames

phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames

[hardware] ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) - File Write DoS

ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) - File Write DoS

[remote] WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page

WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page

[webapps] ProConf 6.0 - Insecure Direct Object Reference (IDOR)

ProConf 6.0 - Insecure Direct Object Reference (IDOR)

[webapps] Ethercreative Logs 3.0.3 - Path Traversal

Ethercreative Logs 3.0.3 - Path Traversal

[webapps] FLIR AX8 1.46.16 - Remote Command Injection

FLIR AX8 1.46.16 - Remote Command Injection

[webapps] Car Rental Project 1.0 - Remote Code Execution

Car Rental Project 1.0 - Remote Code Execution

[local] Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account

Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account

[local] ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)

ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)