[REVIVE-SA-2025-004] Revive Adserver Vulnerabilities

Posted by Matteo Beccati on Nov 19

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2025-004
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2025-004
------------------------------------------------------------------------
Date: 2025-11-19
Risk Level: Medium
Applications affected: Revive...

[REVIVE-SA-2025-003] Revive Adserver Vulnerabilities

Posted by Matteo Beccati on Nov 19

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2025-003
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2025-003
------------------------------------------------------------------------
Date: 2025-11-05
Risk Level: High
Applications affected: Revive...

[SYSS-2025-059]: Dell computer UEFI boot protection bypass

Posted by Micha Borrmann via Fulldisclosure on Nov 19

Advisory ID: SYSS-2025-059
Product: Dell computer
Manufacturer: Dell
Affected Version(s): Probably all Dell computers
Tested Version(s): Latitude 5431 (BIOS 1.33.1),
Latitude 7320 (BIOS 1.44.1),
Latitude 7400 (BIOS 1.41.1),
Latitude 7480 (BIOS 1.41.3),
Latitude 9430 (BIOS...

Re: [FD] : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)

Posted by Patrick via Fulldisclosure on Nov 13

Hello Jan,

You are completely right and it’s something I warned about early, which is abuse of AI-generated sensationalized
headline and fake PoC-s, for fame.

I urge the Full Disclosure staff to look into it.

Discussions with the individual responsible seem to be fruitless, and this likely constitutes abuse of this mailing
list.

Sent from Proton Mail for iOS.

-------- Original Message --------

I looked at few repos and posts of...

APPLE-SA-11-13-2025-1 Compressor 4.11.1

Posted by Apple Product Security via Fulldisclosure on Nov 13

APPLE-SA-11-13-2025-1 Compressor 4.11.1

Compressor 4.11.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125693.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Compressor
Available for: macOS Sequoia 15.6 and later
Impact: An unauthenticated user on the same network as a Compressor...

Re: 83 vulnerabilities in Vasion Print / PrinterLogic

Posted by Pierre Kim on Nov 13

No message preview for long message of 668188 bytes.

Re: [FD] : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)

Posted by Joseph Goydish II via Fulldisclosure on Nov 07

Hey Patrick, I understand the doubt.

However… what’s not slop is reproducible logs I provided a video of and the testable, working exploit I provided.

Neither is the upstream patches that can be tracked from the disclosure dates to the cve’s listed in the report.

The exploit was caught in the wild, reversed engineered via log analysis and the logs provided are simply observed
behavior. Please feel free to independently test the...

Re: : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)

Posted by Jan Schermer on Nov 07

I looked at few repos and posts of "Joseph Goydish".
It all seems to be thinly veiled AI slop and BS.
Cited vulns are not attributed to him really and those chains don’t make a lot of sense. Screen recordings look
suspicious, some versions reference High Sierra for some reason (but I can’t find those bits now).

I invite anyone to look at his GH repos and scroll through commit history.
Does this make any sense?...

runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881

Posted by Aleksa Sarai via Fulldisclosure on Nov 07

| NOTE: This advisory was sent to <security-announce () opencontainers org>
| on 2025-10-16. If you ship any Open Container Initiative software, we
| highly recommend that you subscribe to our security-announce list in
| order to receive more timely disclosures of future security issues.
| The procedure for subscribing to security-announce is outlined here:
| <...

OXAS-ADV-2025-0002: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on Nov 07

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at
https://documentation.open-xchange.com/appsuite/security/advisories/html/2025/oxas-adv-2025-0002.html.

Yours sincerely,
Martin Heiland, Open-Xchange...

APPLE-SA-11-05-2025-1 iOS 18.7.2 and iPadOS 18.7.2

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-05-2025-1 iOS 18.7.2 and iPadOS 18.7.2

iOS 18.7.2 and iPadOS 18.7.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125633.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation...

APPLE-SA-11-03-2025-9 Xcode 26.1

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-03-2025-9 Xcode 26.1

Xcode 26.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125641.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

GNU
Available for: macOS Sequoia 15.6 and later
Impact: Processing a maliciously crafted file may lead to heap
corruption
Description: An...

APPLE-SA-11-03-2025-8 Safari 26.1

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-03-2025-8 Safari 26.1

Safari 26.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125640.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Safari
Available for: macOS Sonoma and macOS Sequoia
Impact: Visiting a malicious website may lead to address bar spoofing
Description:...

APPLE-SA-11-03-2025-7 visionOS 26.1

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-03-2025-7 visionOS 26.1

visionOS 26.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125638.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Apple Account
Available for: Apple Vision Pro (all models)
Impact: A malicious app may be able to take a screenshot of sensitive...

APPLE-SA-11-03-2025-6 watchOS 26.1

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-03-2025-6 watchOS 26.1

watchOS 26.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125639.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Apple Account
Available for: Apple Watch Series 6 and later
Impact: A malicious app may be able to take a screenshot of sensitive...

APPLE-SA-11-03-2025-5 tvOS 26.1

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-03-2025-5 tvOS 26.1

tvOS 26.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125637.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: Apple TV 4K (2nd generation and later)
Impact: An app may be able to cause unexpected system termination...

APPLE-SA-11-03-2025-4 macOS Sonoma 14.8.2

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-03-2025-4 macOS Sonoma 14.8.2

macOS Sonoma 14.8.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125636.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Sonoma
Impact: An app may be able to access user-sensitive data
Description: A...

APPLE-SA-11-03-2025-3 macOS Sequoia 15.7.2

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-03-2025-3 macOS Sequoia 15.7.2

macOS Sequoia 15.7.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125635.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Sequoia
Impact: An app may be able to access user-sensitive data
Description: A...

APPLE-SA-11-03-2025-2 macOS Tahoe 26.1

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-03-2025-2 macOS Tahoe 26.1

macOS Tahoe 26.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125634.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Tahoe
Impact: An app may be able to access sensitive user data
Description: The issue was...

APPLE-SA-11-03-2025-1 iOS 26.1 and iPadOS 26.1

Posted by Apple Product Security via Fulldisclosure on Nov 07

APPLE-SA-11-03-2025-1 iOS 26.1 and iPadOS 26.1

iOS 26.1 and iPadOS 26.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125632.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation
and later, iPad Pro...

Re: [oss-security] runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881

Posted by akendo () akendo eu on Nov 07

Thank you for sharing this. I wondered how big the impact of this vulnerability is when you have only the ability to
access runs via the Kubernetes API? Would you argue that the vulnerability becomes harder (or impossible?) to exploit
when you can only interact with the service via another API?

In my current understanding of the vulnerabilities, it seems like you need to be able to interact with runs directly.

Furthermore, the ability to...

SEC Consult SA-20251029-0 :: Unprotected NFC card manipulation leading to free top-up in GiroWeb Cashless Catering Solutions (only legacy customer infrastructure)

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 29

SEC Consult Vulnerability Lab Security Advisory < 20251029-0 >
=======================================================================
title: Unprotected NFC card manipulation leading to free top-up
product: GiroWeb Cashless Catering Solutions
vulnerable version: Only legacy customer infrastructure using outdated
Legic Prime or other insecure NFC cards
fixed version: -
CVE...

Re: [FD] : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)

Posted by josephgoyd via Fulldisclosure on Oct 29

The exploit I caught in the wild and the flow of the attack chain are in this repo:
https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201

The report was constructed via log analysis.

-------- Original Message --------

It seems, the whole account is down

Re: : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)

Posted by Christoph Gruber on Oct 29

It seems, the whole account is down

Dovecot CVE-2025-30189: Auth cache causes access to wrong account

Posted by Aki Tuomi via Fulldisclosure on Oct 29

Affected product: Dovecot IMAP Server
Internal reference: DOV-7830
Vulnerability type: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State)
Vulnerable version: 2.4.0, 2.4.1
Vulnerable component: auth
Report confidence: Confirmed
Solution status: Fixed in 2.4.2
Researcher credits: Erik <erik () broadlux com>
Vendor notification: 2025-07-25
CVE reference: CVE-2025-30189
CVSS: 7.4...

SEC Consult SA-20251027-0 :: Unauthenticated Local File Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System #CVE-2025-12055

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 28

SEC Consult Vulnerability Lab Security Advisory < 20251027-0 >
=======================================================================
title: Unauthenticated Local File Disclosure
product: MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing
Execution System
vulnerable version: 10.14.STD, MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8
Maintenance versions until week...

Stored Cross-Site Scripting (XSS) via SVG File Upload - totaljsv5013

Posted by Andrey Stoykov on Oct 28

# Exploit Title: Stored Cross-Site Scripting (XSS) via SVG File Upload -
totaljsv5013
# Date: 10/2025
# Exploit Author: Andrey Stoykov
# Version: 5013
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-46-stored.html

Stored Cross-Site Scripting (XSS) via SVG File Upload:

Steps to Reproduce:
1. Login with user and visit "Layouts"
2. Visit "Files" and click "Upload"
3....

Stored HTML Injection - Layout Functionality - totaljsv5013

Posted by Andrey Stoykov on Oct 28

# Exploit Title: Stored HTML Injection - Layout Functionality - totaljsv5013
# Date: 10/2025
# Exploit Author: Andrey Stoykov
# Version: 5013
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-45-stored.html

Stored HTML Injection - Layout Functionality:

Steps to Reproduce:
1. Login with user and visit "Layouts"
2. Click on "Create" and enter name for the layout
3. Trap the HTTP...

Stored Cross-Site Scripting (XSS) - Layout Functionality - totaljsv5013

Posted by Andrey Stoykov on Oct 28

# Exploit Title: Stored Cross-Site Scripting (XSS) - Layout Functionality -
totaljsv5013
# Date: 10/2025
# Exploit Author: Andrey Stoykov
# Version: 5013
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-44-stored.html

Stored Cross-Site Scripting (XSS) - Layout Functionality:

Steps to Reproduce:
1. Login with user and visit "Layouts"
2. Click on "Create" and enter name for the...

Current Password not Required When Changing Password - totaljsv5013

Posted by Andrey Stoykov on Oct 28

# Exploit Title: Current Password not Required When Changing Password -
totaljsv5013
# Date: 10/2025
# Exploit Author: Andrey Stoykov
# Version: 5013
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-43-current.html

Current Password not Required When Changing Password:

Steps to Reproduce:
1. Login with user and click on profile icon
2. Select "Change Credentials"
3. The user would not be...

Re: [FD] : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)

Posted by Noor Christensen on Oct 28

Hi Joseph,

Looks like your post with the technical details is down; I'm getting a 404 since
yesterday.

-- kchr

Struts2 and Related Framework Array/Collection DoS

Posted by Daniel Owens via Fulldisclosure on Oct 28

Struts2 has, since its inception and to today, contained a significant denial of service (DoS) vulnerability stemming
from how the Struts2 default deserialiser parses and deserialises arrays, collections (including maps), and related
objects. Specifically, Struts2 and related frameworks allow attackers to specify indices and adhere to the
user-supplied indices such that attackers can make arbitrarily large data structures with extremely tiny...

[REVIVE-SA-2025-002] Revive Adserver Vulnerability

Posted by Matteo Beccati on Oct 25

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2025-002
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2025-002
------------------------------------------------------------------------
Date: 2025-10-24
Risk Level: High
Applications affected: Revive...

[REVIVE-SA-2025-001] Revive Adserver Vulnerability

Posted by Matteo Beccati on Oct 25

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2025-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2025-001
------------------------------------------------------------------------
CVE-ID: CVE-2025-27208
Date: 2025-10-22
Risk Level:...

SEC Consult SA-20251021-0 :: Multiple Vulnerabilities in EfficientLab WorkExaminer Professional (CVE-2025-10639, CVE-2025-10640, CVE-2025-10641)

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 21

SEC Consult Vulnerability Lab Security Advisory < 20251021-0 >
=======================================================================
title: Multiple Vulnerabilities
product: EfficientLab WorkExaminer Professional
vulnerable version: <= 4.0.0.52001
fixed version: -
CVE number: CVE-2025-10639, CVE-2025-10640, CVE-2025-10641
impact: Critical
homepage:...

[SYSS-2025-017]: Verbatim Store 'n' Go Secure Portable HDD (security update v1.0.0.6) - Offline brute-force attack

Posted by Matthias Deeg via Fulldisclosure on Oct 21

Advisory ID: SYSS-2025-017
Product: Store 'n' Go Secure Portable HDD
Manufacturer: Verbatim
Affected Version(s): Part Number #53401 (GD25LK01-3637-C VER4.0)
Tested Version(s): Part Number #53401 (GD25LK01-3637-C VER4.0)
Vulnerability Type: Use of a Cryptographic Primitive with a Risky
Implementation (CWE-1240)
Risk Level: High...

[SYSS-2025-016]: Verbatim Store 'n' Go Secure Portable SSD (security update v1.0.0.6) - Offline brute-force attack

Posted by Matthias Deeg via Fulldisclosure on Oct 21

Advisory ID: SYSS-2025-016
Product: Store 'n' Go Secure Portable SSD
Manufacturer: Verbatim
Affected Version(s): Part Number #53402 (GDMSLK02 C-INIC3637-V1.1)
Tested Version(s): Part Number #53402 (GDMSLK02 C-INIC3637-V1.1)
Vulnerability Type: Use of a Cryptographic Primitive with a Risky
Implementation (CWE-1240)
Risk Level:...

[SYSS-2025-015]: Verbatim Keypad Secure (security update v1.0.0.6) - Offline brute-force attack

Posted by Matthias Deeg via Fulldisclosure on Oct 21

Advisory ID: SYSS-2025-015
Product: Keypad Secure USB 3.2 Gen 1 Drive
Manufacturer: Verbatim
Affected Version(s): Part Number #49427 (GDMSLK03A-IN3637 VER1.0)
Part Number #49428 (GDMSLK03A-IN3637 VER1.0)
Tested Version(s): Part Number #49427 (GDMSLK03A-IN3637 VER1.0)
Part Number #49428 (GDMSLK03A-IN3637 VER1.0)
Vulnerability Type:...

Malvuln - MISP compatible malware vulnerability intelligence feed now live

Posted by malvuln on Oct 21

Greetings, I created a MISP-compatible feed for Malvuln that provides
malware-vulnerability intelligence; vulnerability types are normalized
and mapped to the MITRE ATT&CK framework to improve tagging,
correlation and threat analysis.

https://intel.malvuln.com

Track vulnerable malware, for researchers or anyone building CTI
pipelines Existing data live now — new entries soon Feedback welcome.

Thank you
malvuln

BSidesSF 2026 CFP still open until October 28th

Posted by BSidesSF CFP via Fulldisclosure on Oct 21

BSidesSF is still soliciting submissions for the annual BSidesSF
conference on March 21-22, 2026. Call for participation is currently
open for both Informational/Collaborative Tracks. Our theme for 2026
is "BSidesSF: The Musical". Deadline for submissions is OCTOBER 28,
2025. https://bsidessf.org/cfp

BSidesSF (bsidessf.org) is a non-profit organization designed to
advance the body of Information Security knowledge, by providing an...

Google Firebase hosting suspension / "malware distribution" bypass

Posted by Security Explorations on Oct 21

Dear All,

We have recently experienced "an outage" / unavailability of our website
[1] due to Google suspending our Firebase project (the root for our website
hosting).

On Oct 16, 2025 (23:20 PM CET) we received a message [2] from Google Cloud
Compliance, which indicated our hosting project was potentially violating
Google Policies / TOS due to "hosting, distributing, or facilitating the
distribution of malware, unwanted...

CyberDanube Security Research 20251014-0 | Multiple Vulnerabilities in Phoenix Contact QUINT4 UPS

Posted by Thomas Weber | CyberDanube via Fulldisclosure on Oct 18

CyberDanube Security Research 20251014-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| QUINT4-UPS
vulnerable version| VC:00<VC:07
fixed version| VC:07 (partially)
CVE number| CVE-2025-41703, CVE-2025-41704, CVE-2025-41705,
| CVE-2025-41706, CVE-2025-41707
impact| High...

apis.google.com - Insecure redirect via __lu parameter (exploited in the wild)

Posted by Patrick via Fulldisclosure on Oct 18

----------------------------------------------------------------------------
Summary
----------------------------------------------------------------------------
A CWE-601 (Open Redirect) vulnerability has been identified in the additnow
functionality of apis.google.com. The vulnerability has been actively exploited
in targeted phishing attacks since at least September 15, 2025....

Urgent Security Vulnerabilities Discovered in Mercku Routers Model M6a

Posted by cve on Oct 18

The critical vulnerabilities discovered within Mercku routers,
specifically the M6a model, that could pose serious security threats to
home networks. These issues allow remote code execution with minimal
effort, tested against version 2.1.0 of the official firmware.

I have also submitted a CVE request in June 2024 (CVE Request 1744791)

CSRF Vulnerability: Attackers can force a password reset without
the user's consent,...

Re: Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)

Posted by Gynvael Coldwind on Oct 15

Vendor Response Pattern

Hi Christopher,

Vendor is correct with this one. The problem isn't the vendor's site – it's
that the browser is already pwned with the malicious browser extension
(this is site-agnostic).
You've mentioned "No user interaction required beyond normal application
usage.", but having "Malicious browser extension" installed is anything but
normal application usage.

This is not a...

Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)

Posted by Christopher Dickinson via Fulldisclosure on Oct 13

Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com

CVE Identifiers

* CVE-2025-[PENDING] - Excessive Data Exposure / JWT Token Leakage
* CVE-2025-[PENDING] - Broken Object Level Authorization (IDOR)
* CVE-2025-[PENDING] - Unrestricted Resource Consumption (DoS)

Executive Summary
This security advisory details three significant vulnerabilities discovered in the Suno.com web application and API
infrastructure on October 9,...

[SBA-ADV-20250730-01] CVE-2025-39664: Checkmk Path Traversal

Posted by SBA Research Security Advisory via Fulldisclosure on Oct 13

# Checkmk Path Traversal #

Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250730-01_Checkmk_Path_Traversal

## Vulnerability Overview ##

Checkmk in versions before 2.4.0p13, 2.3.0p38 and 2.2.0p46, as well as since
version 2.1.0b1 is prone to a path traversal vulnerability in the report
scheduler. Due to an insufficient validation of a file name input, users can
store reports in arbitrary locations on the server.

*...

[SBA-ADV-20250724-01] CVE-2025-32919: Checkmk Agent Privilege Escalation via Insecure Temporary Files

Posted by SBA Research Security Advisory via Fulldisclosure on Oct 13

# Checkmk Agent Privilege Escalation via Insecure Temporary Files #

Link:
https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250724-01_Checkmk_Agent_Privilege_Escalation_via_Insecure_Temporary_Files

## Vulnerability Overview ##

The `win_license` plugin as included in Checkmk agent for Windows versions
before 2.4.0p13, 2.3.0p38 and 2.2.0p46, as well as since version 2.1.0b2 and
2.0.0p28 allows low privileged users to escalate...

CVE-2025-59397 - Open Web Analytics SQL Injection

Posted by Seralys Research Team via Fulldisclosure on Oct 08

Seralys Security Advisory | https://www.seralys.com/research
======================================================================
Title: SQL Injection Vulnerability
Product: Open Web Analytics (OWA)
Affected: Confirmed on 1.8.0 (older versions likely affected)
Fixed in: 1.8.1
Vendor: Open Web Analytics (open-source)
Discovered: August 2025
Severity: HIGH
CWE: CWE-89: SQL Injection
CVE: CVE-2025-59397...

Re: [FD] Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft

Posted by josephgoyd via Fulldisclosure on Oct 07

The GitHub link has a write up on the attack-chain. Along with the CNVD certs that were issued for validation.

https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201

Re: Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft

Posted by full on Oct 07

Substack is down. If there is a replacement, it is appreciated.

-x9p

Re: Defense in depth -- the Microsoft way (part 93): SRP/SAFER whitelisting goes black on Windows 11

Posted by Stefan Kanthak via Fulldisclosure on Oct 07

On a fresh installation of the just released Windows 11 25H2 the former file
%SystemRoot%\System32\SecurityHealth\10.0.27840.1000-0\SecurityHealthHost.exe
is %SystemRoot%\System32\SecurityHealthHost.exe now, but the BUG persists:

| svchost.exe (PID = 9876) identified \\?\C:\Windows\System32\SecurityHealthHost.exe
| as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

stay tuned, and far away from bug-riddled Windows...

Re: [FD] : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)

Posted by josephgoyd via Fulldisclosure on Oct 02

Updated repo location: https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201

Working exploit:
https://www.dropbox.com/scl/fi/ech6wdnpnyscbfiu2o8zh/IMG_1118.png?rlkey=jna5uo6aihs6tfbwtsk8fw7em&st=8c56raq8&dl=0

Re: [FD] Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft

Posted by josephgoyd via Fulldisclosure on Oct 02

Updated repo location: https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201

Working exploit:
https://www.dropbox.com/scl/fi/oerpnhq1ui3xfswsszfh2/Audio-clip.amr?rlkey=7n54m1o84poezyipxvd2f9slx&st=b1tkonvr&dl=0

Samtools v1.22.1 Uncontrolled Memory Allocation from Large BED Intervals Causes Denial-of-Service in Samtools/HTSlib

Posted by Ron E on Sep 30

A denial-of-service vulnerability exists in Samtools and the underlying
HTSlib when processing BED files containing extremely large interval
values. The bed_index_core() function in bedidx.c uses the interval end
coordinate to calculate allocation size without sufficient validation. By
supplying a BED record with a crafted end coordinate (e.g., near 2^61), an
attacker can trigger uncontrolled memory allocation requests via
hts_resize_array_()....

Samtools v1.22.1 Improper Handling of Excessive Histogram Bin Counts in Samtools Coverage Leads to Stack Overflow

Posted by Ron E on Sep 30

In the samtools coverage subcommand, the -w / --n-bins option allows the
user to specify how many “bins” to produce in the coverage histogram. The
code computes: stats[tid].bin_width = (stats[tid].end - stats[tid].beg) /
n_bins; When the number of bins (n_bins) is extremely large relative to the
region length (end - beg), this integer division can yield zero, or lead to
unexpected behavior in subsequent arithmetic. Later in print_hist(),...

libgeotiff 1.7.4 Heap Buffer Overflow in geotifcp (libgeotiff) During 8-to-4 Bit Downsample with Odd Image Width

Posted by Ron E on Sep 30

A heap buffer overflow vulnerability exists in the geotifcp utility,
distributed as part of libgeotiff. The flaw occurs in the function
cpContig2ContigByRow_8_to_4 when processing TIFF images with an odd
ImageWidth and using the -d option (downsampling from 8-bit to 4-bit).
During conversion, the function iterates over pixels in pairs and always
accesses buf_in[i_in+1]. When the width is odd, the last iteration
dereferences one byte past the...

APPLE-SA-09-29-2025-6 visionOS 26.0.1

Posted by Apple Product Security via Fulldisclosure on Sep 30

APPLE-SA-09-29-2025-6 visionOS 26.0.1

visionOS 26.0.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125338.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

FontParser
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted font may lead to unexpected app
termination...

APPLE-SA-09-29-2025-5 macOS Sonoma 14.8.1

Posted by Apple Product Security via Fulldisclosure on Sep 30

APPLE-SA-09-29-2025-5 macOS Sonoma 14.8.1

macOS Sonoma 14.8.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125330.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

FontParser
Available for: macOS Sonoma
Impact: Processing a maliciously crafted font may lead to unexpected app...

APPLE-SA-09-29-2025-4 macOS Sequoia 15.7.1

Posted by Apple Product Security via Fulldisclosure on Sep 30

APPLE-SA-09-29-2025-4 macOS Sequoia 15.7.1

macOS Sequoia 15.7.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125329.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

FontParser
Available for: macOS Sequoia
Impact: Processing a maliciously crafted font may lead to unexpected app...