Posted by Daniel Owens via Fulldisclosure on Mar 12

As previously mentioned, via "Struts2 and Related Framework Array/Collection DoS" (26 October 2025), hundreds of
JavaScript object notation (JSON) libraries are vulnerable to unconstrained resource consumption through large JSON
arrays, which, when deserialised, create arbitrarily large collections/arrays/data structures. This work looks
specifically at the Apache Struts2 JSON Plugin, using it as an example for why this...

Posted by Stefan Kanthak via Fulldisclosure on Mar 12

Hi @ll,

about 2 months ago I posted
<https://seclists.org/fulldisclosure/2025/Dec/29>
"Defense in depth -- the Microsoft way (part 94):
SAFER (SRPv1 and AppLocker alias SRPv2) bypass for dummies"

Here's the continuation...

About 23 years ago, 64-bit Windows introduced the WoW64 subsystem, which
performs a transpatent redirection of file system and registry accesses
for 32-bit applications.
To allow consistent appearance...

Posted by Feng Ning via Fulldisclosure on Mar 12

Subject: Alipay DeepLink+JSBridge Attack Chain: Silent GPS Exfiltration, 17 Vulns, 6 CVEs (CVSS 9.3)

# Alipay DeepLink + JSBridge Attack Chain
# Silent GPS Exfiltration via Crafted URL

## Overview

Researcher: Jiqiang Feng / Innora AI Security Research
Vendor: Ant Group (蚂蚁集团) / Alibaba Group
Product: Alipay (支付宝) v10.x (Android & iOS)
Users Affected: 1 billion+
CVEs: 6 submitted to MITRE CNA-LR (2026-03-12)
CVSS: 7.4–9.3...

Posted by GregD via Fulldisclosure on Mar 12

Hi,

I'm disclosing five vulnerabilities discovered during an authorised
security assessment of the Cohesity TranZman Migration Appliance
(formerly Stone Ram TranZman), Release 4.0 Build 14614.

CVE-2025-67840 - Web API Command Injection (CVSS 7.2 High)
The /api/v1/scheduler/run and /api/v1/actions/run endpoints allow
authenticated administrators to execute arbitrary commands as root by
injecting into POST request parameters. Input is...

Posted by Apple Product Security via Fulldisclosure on Mar 12

APPLE-SA-03-11-2026-2 iOS 15.8.7 and iPadOS 15.8.7

iOS 15.8.7 and iPadOS 15.8.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126632.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Kernel
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st generation), iPad...

Posted by Apple Product Security via Fulldisclosure on Mar 12

APPLE-SA-03-11-2026-1 iOS 16.7.15 and iPadOS 16.7.15

iOS 16.7.15 and iPadOS 16.7.15 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126646.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro 9.7-inch,...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Mar 12

SEC Consult Vulnerability Lab Security Advisory < 20260224-0 >
=======================================================================
title: Multiple vulnerabilities
            product: CPSD CryptoPro Secure Disk for BitLocker
 vulnerable version: 7.6.4.16432 (76212)
fixed version: 7.6.6 / 7.7.1
CVE number: CVE-2025-10010
             impact: high
           homepage:...