BeyondTrust PRA connection takeover - CVE-2025-0217

Posted by Paul Szabo via Fulldisclosure on May 06

=== Details ========================================================

Vendor: BeyondTrust
Product: Privileged Remote Access (PRA)
Subject: PRA connection takeover
CVE ID: CVE-2025-0217
CVSS: 7.8 (high) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Author: Paul Szabo <psz () maths usyd edu au>
Date: 2025-05-05

=== Introduction ===================================================

I noticed an issue in
BeyondTrust Privileged...

Microsoft Windows .XRM-MS File / NTLM Information Disclosure Spoofing

Posted by hyp3rlinx on May 01

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: https://hyp3rlinx.altervista.org/advisories/Microsoft_Windows_xrm-ms_File_NTLM-Hash_Disclosure.txt
[+] x.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
.xrm-ms File Type

[Vulnerability Type]
NTLM Hash Disclosure (Spoofing)

[Video URL PoC]
https://www.youtube.com/watch?v=d5U_krLQbNY

[CVE Reference]
N/A

[Security Issue]
The...

[IWCC 2025] CfP: 14th International Workshop on Cyber Crime - Ghent, Belgium, Aug 11-14, 2025

Posted by Artur Janicki via Fulldisclosure on Apr 26

[APOLOGIES FOR CROSS-POSTING]

CALL FOR PAPERS
14th International Workshop on Cyber Crime (IWCC 2025 -
https://2025.ares-conference.eu/program/iwcc/)
to be held in conjunction with the 20th International Conference on
Availability, Reliability and Security (ARES 2025 -
http://2025.ares-conference.eu)

August 11-14, 2025, Ghent, Belgium

IMPORTANT DATES
Submission Deadline May 12, 2025
Author Notification May 30, 2025
Proceedings Version...

Inedo ProGet Insecure Reflection and CSRF Vulnerabilities

Posted by Daniel Owens via Fulldisclosure on Apr 26

Inedo ProGet 2024.22 and below are vulnerable to unauthenticated denial of service and information disclosure attacks
(among other things) because the information system directly exposes the C# reflection used during the request-action
mapping process and fails to properly protect certain pathways. These are amplified by cross-site request forgery
vulnerabilities (CSRF) due to the application's failure to verify the HTTP request method...

Ruby on Rails Cross-Site Request Forgery

Posted by Daniel Owens via Fulldisclosure on Apr 26

Good morning. All current versions and all versions since the 2022/2023 "fix" to the Rails cross-site request forgery
(CSRF) protections continue to be vulnerable to the same attacks as the 2022 implementation. Currently, Rails
generates "authenticity tokens" and "csrf tokens" using a random "one time pad" (OTP). This random value is then XORed
with the "raw token" (which can take one of two...

Microsoft ".library-ms" File / NTLM Information Disclosure (Resurrected 2025)

Posted by hyp3rlinx on Apr 26

[-] Microsoft ".library-ms" File / NTLM Information Disclosure
Spoofing (Resurrected 2025) / CVE-2025-24054

[+] John Page (aka hyp3rlinx)
[+] x.com/hyp3rlinx
[+] ISR: ApparitionSec

Back in 2018, I reported a ".library-ms" File NTLM information
disclosure vulnerability to MSRC and was told "it was not severe
enough", that being said I post it anyways. Seven years passed, until
other researchers re-reported it....

HNS-2025-10 - HN Security Advisory - Local privilege escalation in Zyxel uOS

Posted by Marco Ivaldi on Apr 23

Hi,

Please find attached a security advisory that describes some
vulnerabilities we discovered in the Zyxel uOS Linux-based operating
system.

* Title: Local privilege escalation via Zyxel fermion-wrapper
* Product: USG FLEX H Series
* OS: Zyxel uOS V1.31 (and potentially earlier versions)
* Author: Marco Ivaldi <marco.ivaldi () hnsecurity it>
* Date: 2025-04-23
* CVE ID: CVE-2025-1731 (see discussion in "5 - Remediation" below)...

APPLE-SA-04-16-2025-4 visionOS 2.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-4 visionOS 2.4.1

visionOS 2.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122402.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: Apple Vision Pro
Impact: Processing an audio stream in a maliciously crafted media file
may result in...

APPLE-SA-04-16-2025-3 tvOS 18.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-3 tvOS 18.4.1

tvOS 18.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122401.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing an audio stream in a maliciously crafted media file...

APPLE-SA-04-16-2025-2 macOS Sequoia 15.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-2 macOS Sequoia 15.4.1

macOS Sequoia 15.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122400.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: macOS Sequoia
Impact: Processing an audio stream in a maliciously crafted media file
may...

APPLE-SA-04-16-2025-1 iOS 18.4.1 and iPadOS 18.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-1 iOS 18.4.1 and iPadOS 18.4.1

iOS 18.4.1 and iPadOS 18.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122282.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch
3rd generation and...

Business Logic Flaw: Price Manipulation - AlegroCartv1.2.9

Posted by Andrey Stoykov on Apr 23

# Exploit Title: Business Logic Flaw: Price Manipulation - alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Business Logic Flaw: Price Manipulation #1:

Steps to Reproduce:

1. Visit the store and add a product
2. Intercept the HTTP GET request and add negative value to the "quantity"
parameter

// HTTP GET request

GET...

Stored XSS in "Message" Functionality - AlegroCartv1.2.9

Posted by Andrey Stoykov on Apr 23

# Exploit Title: Stored XSS in "Message" Functionality - alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS #1:

Steps to Reproduce:

1. Login as demonstrator account and visit "Customers" > "Newsletter"
2. In "Message" use the following XSS payload

<iframe srcdoc="<img src=x...

XSS via SVG Image Upload - AlegroCartv1.2.9

Posted by Andrey Stoykov on Apr 23

# Exploit Title: XSS via SVG Image Upload - alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

XSS via SVG Image Upload:

Steps to Reproduce:

1. Visit http://192.168.58.129/alegrocart/administrator/?controller=download
2. Upload SVG image file with the contents below
3. Intercept the POST request and change the Content-Type to "Content-Type:...

BBOT 2.1.0 - Local Privilege Escalation via Malicious Module Execution

Posted by Housma mardini on Apr 23

Hi Full Disclosure,

I'd like to share a local privilege escalation technique involving BBOT
(Bighuge BLS OSINT Tool) when misconfigured with sudo access.

---

Exploit Title: BBOT 2.1.0 - Local Privilege Escalation via Malicious Module
Execution
Date: 2025-04-16
Exploit Author: Huseyin Mardinli
Vendor Homepage: https://github.com/blacklanternsecurity/bbot
Version: 2.1.0.4939rc (tested)
Tested on: Kali Linux Rolling (2025.1)
CVE: N/A...

83 vulnerabilities in Vasion Print / PrinterLogic

Posted by Pierre Kim on Apr 13

No message preview for long message of 656780 bytes.

[CVE-2025-32102, CVE-2025-32103] SSRF and Directory Traversal in CrushFTP 10.7.1 and 11.1.0 (as well as legacy 9.x)

Posted by Rafael Pedrero on Apr 13

<!--
# Exploit Title: Server-Side Request Forgery (SSRF) in CrushFTP 10.7.1 and
11.1.0 (as well as legacy 9.x)
# Date: 2024-10-20
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.crushftp.com/
# Software Link: https://www.crushftp.com/download/
# Version: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1
# Tested on: all
# CVE : CVE-2025-32102
# Vulnerability: CWE-918
# Category: webapps

1. Description

CrushFTP 9.x...

Re: APPLE-SA-03-11-2025-2 iOS 18.3.2 and iPadOS 18.3.2

Posted by Nick Boyce on Apr 13

[Complete Apple product novice here (my devices all run a non-Apple
OS), but I'm asking for a friend]

Could someone please clarify the following part of the advisory for me:

Does this mean the update will be available via the "Software Update"
feature on an iPhone - or not ?

The quoted paragraph of Apple's advisory is a bit
Schroedinger's-Cat-ish - the update is both available and not
available.

Thanks,

Nick

[...]...

[KIS-2025-01] UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability

Posted by Egidio Romano on Apr 13

------------------------------------------------------------------------------------
UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection
Vulnerability
------------------------------------------------------------------------------------

[-] Software Links:

https://unacms.com

https://github.com/unacms/una

[-] Affected Versions:

All versions from 9.0.0-RC1 to 14.0.0-RC4.

[-] Vulnerability Description:

The vulnerability...

OXAS-ADV-2025-0001: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on Apr 13

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at
https://documentation.open-xchange.com/appsuite/security/advisories/html/2025/oxas-adv-2025-0001.html.

Yours sincerely,
Martin Heiland, Open-Xchange...

APPLE-SA-04-01-2025-1 watchOS 11.4

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-04-01-2025-1 watchOS 11.4

watchOS 11.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122376.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

AirDrop
Available for: Apple Watch Series 6 and later
Impact: An app may be able to read arbitrary file metadata
Description: A...

APPLE-SA-03-31-2025-11 visionOS 2.4

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-11 visionOS 2.4

visionOS 2.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122378.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accounts
Available for: Apple Vision Pro
Impact: Sensitive keychain data may be accessible from an iOS backup
Description: This issue...

APPLE-SA-03-31-2025-10 tvOS 18.4

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-10 tvOS 18.4

tvOS 18.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122377.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

AirDrop
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to read arbitrary file metadata
Description: A...

APPLE-SA-03-31-2025-9 macOS Ventura 13.7.5

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-9 macOS Ventura 13.7.5

macOS Ventura 13.7.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122375.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

AccountPolicy
Available for: macOS Ventura
Impact: A malicious app may be able to gain root privileges
Description:...

APPLE-SA-03-31-2025-8 macOS Sonoma 14.7.5

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-8 macOS Sonoma 14.7.5

macOS Sonoma 14.7.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122374.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

AccountPolicy
Available for: macOS Sonoma
Impact: A malicious app may be able to gain root privileges
Description: This...

APPLE-SA-03-31-2025-7 macOS Sequoia 15.4

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-7 macOS Sequoia 15.4

macOS Sequoia 15.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122373.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: macOS Sequoia
Impact: An app may be able to access sensitive user data
Description: A logging...

APPLE-SA-03-31-2025-6 iOS 15.8.4 and iPadOS 15.8.4

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-6 iOS 15.8.4 and iPadOS 15.8.4

iOS 15.8.4 and iPadOS 15.8.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122345.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st...

APPLE-SA-03-31-2025-5 iOS 16.7.11 and iPadOS 16.7.11

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-5 iOS 16.7.11 and iPadOS 16.7.11

iOS 16.7.11 and iPadOS 16.7.11 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122346.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation,
iPad Pro...

APPLE-SA-03-31-2025-4 iPadOS 17.7.6

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-4 iPadOS 17.7.6

iPadOS 17.7.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122372.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accounts
Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch,
and iPad 6th generation
Impact: Sensitive keychain...

APPLE-SA-03-31-2025-3 iOS 18.4 and iPadOS 18.4

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-3 iOS 18.4 and iPadOS 18.4

iOS 18.4 and iPadOS 18.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122371.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and...

APPLE-SA-03-31-2025-2 Xcode 16.3

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-2 Xcode 16.3

Xcode 16.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122380.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

IDE Assets
Available for: macOS Sequoia 15.2 and later
Impact: A malicious app may be able to access private information
Description: The...

APPLE-SA-03-31-2025-1 Safari 18.4

Posted by Apple Product Security via Fulldisclosure on Apr 02

APPLE-SA-03-31-2025-1 Safari 18.4

Safari 18.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122379.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Authentication Services
Available for: macOS Ventura and macOS Sonoma
Impact: A malicious website may be able to claim WebAuthn...

3 vulnerabilities in Palo Alto Deep Packet Inspection mechanism

Posted by Pierre Kim on Apr 02

## Advisory Information

Title: 3 vulnerabilities in Palo Alto Deep Packet Inspection mechanism
Advisory URL: https://pierrekim.github.io/advisories/2025-palo-alto-dpi.txt
Blog URL: https://pierrekim.github.io/blog/2025-03-31-paloalto-dpi-3-vulnerabilities.html
Date published: 2025-03-31
Vendors contacted: Palo Alto
Release mode: Released
CVE: None

## Product description

## Vulnerabilities Summary

Vulnerable versions: all versions of Palo Alto...

10 vulnerabilities in Brocade Fibre Channel switches

Posted by Pierre Kim on Apr 02

## Advisory Information

Title: 10 vulnerabilities in Brocade Fibre Channel switches
Advisory URL: https://pierrekim.github.io/advisories/2025-brocade-switches.txt
Blog URL: https://pierrekim.github.io/blog/2025-03-31-brocade-switches-10-vulnerabilities.html
Date published: 2025-03-31
Vendors contacted: Brocade
Release mode: Released
CVE: CVE-2021-27797, CVE-2022-33186, CVE-2023-3454, CVE-2024-5460,
CVE-2024-5461, CVE-2024-7516

## Product...

Three bypasses of Ubuntu's unprivileged user namespace restrictions

Posted by Qualys Security Advisory via Fulldisclosure on Mar 27

Qualys Security Advisory

Three bypasses of Ubuntu's unprivileged user namespace restrictions

========================================================================
Contents
========================================================================

Summary
Bypass via aa-exec
Bypass via busybox
Bypass via LD_PRELOAD
Acknowledgments
Timeline (advisory sent to the Ubuntu Security Team on January 15, 2025)...

SQL Injection in Admin Functionality - dolphin.prov7.4.2

Posted by Andrey Stoykov on Mar 24

# Exploit Title: SQL Injection in Admin Functionality - dolphin.prov7.4.2
# Date: 03/2025
# Exploit Author: Andrey Stoykov
# Version: 7.4.2
# Date: 03/2025
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-21-sql.html

SQL Injection in Admin Functionality:

Steps to Reproduce:

1. Login as admin user and visit the page of "
http://192.168.58.170/dolphinCMS/administration/index.php?cat=&quot;
2....

Stored XSS via Send Message Functionality - dolphin.prov7.4.2

Posted by Andrey Stoykov on Mar 24

# Exploit Title: Stored XSS via Send Message Functionality -
dolphin.prov7.4.2
# Date: 03/2025
# Exploit Author: Andrey Stoykov
# Version: 7.4.2
# Date: 03/2025
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-20-stored-xss.html

Stored XSS via Send Message Functionality:

Steps to Reproduce:

1. Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose&quot;
2. Add...

APPLE-SA-03-11-2025-4 visionOS 2.3.2

Posted by Apple Product Security via Fulldisclosure on Mar 20

APPLE-SA-03-11-2025-4 visionOS 2.3.2

visionOS 2.3.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122284.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: Apple Vision Pro
Impact: Maliciously crafted web content may be able to break out of Web
Content sandbox....

APPLE-SA-03-11-2025-3 macOS Sequoia 15.3.2

Posted by Apple Product Security via Fulldisclosure on Mar 20

APPLE-SA-03-11-2025-3 macOS Sequoia 15.3.2

macOS Sequoia 15.3.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122283.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Sequoia
Impact: Maliciously crafted web content may be able to break out of Web
Content...

APPLE-SA-03-11-2025-2 iOS 18.3.2 and iPadOS 18.3.2

Posted by Apple Product Security via Fulldisclosure on Mar 20

APPLE-SA-03-11-2025-2 iOS 18.3.2 and iPadOS 18.3.2

iOS 18.3.2 and iPadOS 18.3.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122281.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and...

APPLE-SA-03-11-2025-1 Safari 18.3.1

Posted by Apple Product Security via Fulldisclosure on Mar 20

APPLE-SA-03-11-2025-1 Safari 18.3.1

Safari 18.3.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122285.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Ventura and macOS Sonoma
Impact: Maliciously crafted web content may be able to break out of Web
Content...

CVE-2019-16261 (UPDATE): Unauthenticated POST requests to Tripp Lite UPS Systems

Posted by Lucas Lalumière on Mar 20

[Author]: Lucas Lalumiere
[Contact]: lucas.lalum () gmail com
[Date]: 2025-3-17
[Vendor]: Tripp Lite
[Product]: SU750XL UPS
[Firmware]: 12.04.0052
[CVE Reference]: CVE-2019-16261

============================
Affected Products (Tested):
============================
- Tripp Lite PDU's (e.g., PDUMH15AT)
- Tripp Lite UPS's (e.g., SU750XL) *NEW*

======================
Vulnerability Summary:
======================
CVE-2019-16261 describes...

Multiple sandbox escapes in asteval python sandboxing module

Posted by areca-palm via Fulldisclosure on Mar 11

[CVE pending]

Sandboxing Python is notoriously difficult, the Python module "asteval" is no exception. Add to this the fact that a
large set of numpy functions are exposed within the sandbox by default.
Versions <=1.06 are vulnerable.
This vuln has been disclosed to the maintainer, who closed the security advisory and has since pushed his own fix to
master. A CVE is still pending. Publishing the vulnerability through this list...

SEC Consult SA-20250226-0 :: Multiple vulnerabilities in Siemens A8000 CP-8050 & CP-8031 PLC

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Feb 27

SEC Consult Vulnerability Lab Security Advisory < 20250226-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Siemens A8000 CP-8050 PLC
Siemens A8000 CP-8031 PLC
vulnerable version: <05.40 for Vulnerability 1, <05.30 for Vulnerability 2
fixed version: 05.40 for Vulnerability 1, 05.30 for Vulnerability 2...

Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client

Posted by Jordy Zomer on Feb 27

Hey all,

First of all, cool findings! I've been working on the CodeQL query and have a revised version that I think improves
accuracy and might offer some performance gains (though I haven't done rigorous benchmarking). The key change is the
use of `StackVariableReachability` and making sure that there's a path wher e `var` is not reassigned before taking a
`goto _;`. Ran it on an older database, found some of the same bugs...

MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client

Posted by Qualys Security Advisory via Fulldisclosure on Feb 20

Qualys Security Advisory

CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled
client

CVE-2025-26466: DoS attack against OpenSSH's client and server

========================================================================
Contents
========================================================================

Summary
Background
Experiments
Results
MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client
DoS...

Self Stored XSS - acp2sev7.2.2

Posted by Andrey Stoykov on Feb 20

# Exploit Title: Self Stored XSS - acp2sev7.2.2
# Date: 02/2025
# Exploit Author: Andrey Stoykov
# Version: 7.2.2
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2025/02/friday-fun-pentest-series-19-self.html

Self Stored XSS #1:

Steps to Reproduce:

1. Visit "http://192.168.58.168/acp2se/mul/muladmin.php&quot; and login with
"admin" / "adminpass"
2. In the field "Put the name of the new...

Python's official documentation contains textbook example of insecure code (XSS)

Posted by Georgi Guninski on Feb 20

Python's official documentation contains textbook example of insecure code (XSS)

Date: 2025-02-18
Author: Georgi Guninski

===
form = cgi.FieldStorage()
if "name" not in form or "addr" not in form:
print("<H1>Error</H1>")
print("Please fill in the name and addr fields.")
return
print("<p>name:", form["name"].value)
print("<p>addr:",...

Re: Netgear Router Administrative Web Interface Lacks Transport Encryption By Default

Posted by Gynvael Coldwind on Feb 17

Hi,

This isn't really a problem a vendor can solve in firmware (apart from
offering configuration via cloud, which has its own issues).
Even if they would enable TLS/SSL by default, it would just give one a
false sense of security, since:
- the certificates would be invalid (public CAs don't give out certs for IP
addresses),
- they would be easy to clone (due to being self-signed and/or being easy
to extract from a similar device),
-...

Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network.

Posted by upper.underflow via Fulldisclosure on Feb 16

Hello,

About an hour ago, a group appearing to be named WyRCV2 posted a note on the nostr social network, which can be found
at the following link: https://primal.net/e/note1vzh0mj9rcxax9cgcdapupyxeehjprd68gd9kk9wrv939m8knulrs4780x7

Save, share, use.

The paste link includes a list of nodes that the attacker has instructed to target, along with a Python code to
leverage the attack. According to their explanation, this vulnerability is...

Netgear Router Administrative Web Interface Lacks Transport Encryption By Default

Posted by Ryan Delaney via Fulldisclosure on Feb 16

<!--
# Exploit Title: Netgear Router Administrative Web Interface Lacks
Transport Encryption By Default
# Date: 02-13-2025
# Exploit Author: Ryan Delaney
# Author Contact: ryan.delaney () owasp org
# Vendor Homepage: https://www.netgear.com
# Version: Netgear C7800 Router, F/W 6.01.07, possibly others
# Tested on: Netgear C7800 Router, F/W 6.01.07
# CVE: CVE-2022-41545

The administrative web interface of a Netgear C7800 Router running...

[CVE-2024-54756] GZDoom <= 4.13.1 Arbitrary Code Execution via Malicious ZScript

Posted by Gabriel Valachi via Fulldisclosure on Feb 15

In GZDoom 4.13.1 and below, there is a vulnerability involving array sizes in ZScript, the game engine's primary
scripting language. It is possible to dynamically allocate an array of 1073741823 dwords, permitting access to the rest
of the heap from the start of the array and causing a second array declared in the same function to overlap with this
huge array. The result is an exploit chain that allows arbitrary code execution through a...

Re: Text injection on https://www.google.com/sorry/index via ?q parameter (no XSS)

Posted by David Fifield on Feb 15

Today at about 2025-02-13 19:00 I noticed the "≠" is back, but now the
type 0x12 payload of the ?q query parameter gets formatted into the
string representation of an IP address, rather than being copied almost
verbatim into the page. If the payload length is 4 bytes, it gets
formatted as an IPv4 address; if 16 bytes, as an IPv6 address. I didn't
try a ton of experiments, but it looks like payload lengths other than 4
and 16...

SEC Consult SA-20250211-0 :: Multiple vulnerabilities in Wattsense Bridge

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Feb 12

SEC Consult Vulnerability Lab Security Advisory < 20250211-0 >
=======================================================================
title: Multiple vulnerabilities
product: Wattsense - Wattsense Bridge
vulnerable version: Wattsense Bridge
* Hardware Revision: WSG-EU-SC-14-00, 20230801
* Firmware Revision: Wattsense (Wattsense minimal)...

APPLE-SA-02-10-2025-2 iPadOS 17.7.5

Posted by Apple Product Security via Fulldisclosure on Feb 10

APPLE-SA-02-10-2025-2 iPadOS 17.7.5

iPadOS 17.7.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122173.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch,
and iPad 6th generation
Impact: A physical...

APPLE-SA-02-10-2025-1 iOS 18.3.1 and iPadOS 18.3.1

Posted by Apple Product Security via Fulldisclosure on Feb 10

APPLE-SA-02-10-2025-1 iOS 18.3.1 and iPadOS 18.3.1

iOS 18.3.1 and iPadOS 18.3.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122174.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation...

CVE-2024-55447: Access Control in Paxton Net2 software (update)

Posted by Jeroen Hermans via Fulldisclosure on Feb 10

CloudAware Security Advisory

CVE-2024-55447: Potential PII leak and incorrect access control in
Paxton Net2 software

========================================================================
Summary
========================================================================
Insecure backend database in the Paxton Net2 software.
Possible leaking of PII incorrect access control.
Access cards can be cloned without physical access to the original...

ChatGPT AI finds "security concern" (XSS) in DeepSeek's code

Posted by Georgi Guninski on Feb 10

Summary: On 2025-02-09 ChatGPT AI found "security concern" (XSS) in
DeepSeek's AI python code.

Background:

Consider the simple coding question (Q):

Write Python CGI which takes as an argument NAME and outputs: "Hello NAME".

First page and results on google for "python CGI" return for me
tutorials, which are flawed and textbook examples of the cross site
scripting (XSS) vulnerability. This is a...

KL-001-2025-002: Checkmk NagVis Remote Code Execution

Posted by KoreLogic Disclosures via Fulldisclosure on Feb 04

KL-001-2025-002: Checkmk NagVis Remote Code Execution

Title: Checkmk NagVis Remote Code Execution
Advisory ID: KL-001-2025-002
Publication Date: 2025-02-04
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-002.txt

1. Vulnerability Details

     Affected Vendor: Checkmk
     Affected Product: Checkmk/NagVis
     Affected Version: Checkmk 2.3.0p2, NagVis 1.9.40
     Platform: GNU/Linux
     CWE...

KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting

Posted by KoreLogic Disclosures via Fulldisclosure on Feb 04

KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting

Title: Checkmk NagVis Reflected Cross-site Scripting
Advisory ID: KL-001-2025-001
Publication Date: 2025-02-04
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-001.txt

1. Vulnerability Details

     Affected Vendor: Checkmk
     Affected Product: Checkmk/NagVis
     Affected Version: Checkmk 2.3.0p2, NagVis 1.9.40
     Platform: GNU/Linux...