Full Disclosure

BeyondTrust PRA connection takeover - CVE-2025-0217

Posted by Paul Szabo via Fulldisclosure on May 06

=== Details ========================================================

Vendor: BeyondTrust
Product: Privileged Remote Access (PRA)
Subject: PRA connection takeover
CVE ID: CVE-2025-0217
CVSS: 7.8 (high) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Author: Paul Szabo <psz () maths usyd edu au>
Date: 2025-05-05

=== Introduction ===================================================

I noticed an issue in
BeyondTrust Privileged...

Exploit-DB Updates

[webapps] Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)

Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)

Exploit-DB Updates

[webapps] Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)

Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)

Exploit-DB Updates

[webapps] ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)

ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)

Exploit-DB Updates

[local] Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing

Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing

Exploit-DB Updates

[local] ZTE ZXV10 H201L - RCE via authentication bypass

ZTE ZXV10 H201L - RCE via authentication bypass

Exploit-DB Updates

[local] Daikin Security Gateway 14 - Remote Password Reset

Daikin Security Gateway 14 - Remote Password Reset

Exploit-DB Updates

[local] Microsoft - NTLM Hash Disclosure Spoofing (library-ms)

Microsoft - NTLM Hash Disclosure Spoofing (library-ms)

Full Disclosure

Microsoft Windows .XRM-MS File / NTLM Information Disclosure Spoofing

Posted by hyp3rlinx on May 01

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: https://hyp3rlinx.altervista.org/advisories/Microsoft_Windows_xrm-ms_File_NTLM-Hash_Disclosure.txt
[+] x.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
.xrm-ms File Type

[Vulnerability Type]
NTLM Hash Disclosure (Spoofing)

[Video URL PoC]
https://www.youtube.com/watch?v=d5U_krLQbNY

[CVE Reference]
N/A

[Security Issue]
The...

Exploit-DB Updates

[local] unzip-stream 0.3.1 - Arbitrary File Write

unzip-stream 0.3.1 - Arbitrary File Write

Full Disclosure

[IWCC 2025] CfP: 14th International Workshop on Cyber Crime - Ghent, Belgium, Aug 11-14, 2025

Posted by Artur Janicki via Fulldisclosure on Apr 26

[APOLOGIES FOR CROSS-POSTING]

CALL FOR PAPERS
14th International Workshop on Cyber Crime (IWCC 2025 -
https://2025.ares-conference.eu/program/iwcc/)
to be held in conjunction with the 20th International Conference on
Availability, Reliability and Security (ARES 2025 -
http://2025.ares-conference.eu)

August 11-14, 2025, Ghent, Belgium

IMPORTANT DATES
Submission Deadline May 12, 2025
Author Notification May 30, 2025
Proceedings Version...

Full Disclosure

Inedo ProGet Insecure Reflection and CSRF Vulnerabilities

Posted by Daniel Owens via Fulldisclosure on Apr 26

Inedo ProGet 2024.22 and below are vulnerable to unauthenticated denial of service and information disclosure attacks
(among other things) because the information system directly exposes the C# reflection used during the request-action
mapping process and fails to properly protect certain pathways. These are amplified by cross-site request forgery
vulnerabilities (CSRF) due to the application's failure to verify the HTTP request method...

Full Disclosure

Ruby on Rails Cross-Site Request Forgery

Posted by Daniel Owens via Fulldisclosure on Apr 26

Good morning. All current versions and all versions since the 2022/2023 "fix" to the Rails cross-site request forgery
(CSRF) protections continue to be vulnerable to the same attacks as the 2022 implementation. Currently, Rails
generates "authenticity tokens" and "csrf tokens" using a random "one time pad" (OTP). This random value is then XORed
with the "raw token" (which can take one of two...

Full Disclosure

Microsoft ".library-ms" File / NTLM Information Disclosure (Resurrected 2025)

Posted by hyp3rlinx on Apr 26

[-] Microsoft ".library-ms" File / NTLM Information Disclosure
Spoofing (Resurrected 2025) / CVE-2025-24054

[+] John Page (aka hyp3rlinx)
[+] x.com/hyp3rlinx
[+] ISR: ApparitionSec

Back in 2018, I reported a ".library-ms" File NTLM information
disclosure vulnerability to MSRC and was told "it was not severe
enough", that being said I post it anyways. Seven years passed, until
other researchers re-reported it....

Full Disclosure

HNS-2025-10 - HN Security Advisory - Local privilege escalation in Zyxel uOS

Posted by Marco Ivaldi on Apr 23

Hi,

Please find attached a security advisory that describes some
vulnerabilities we discovered in the Zyxel uOS Linux-based operating
system.

* Title: Local privilege escalation via Zyxel fermion-wrapper
* Product: USG FLEX H Series
* OS: Zyxel uOS V1.31 (and potentially earlier versions)
* Author: Marco Ivaldi <marco.ivaldi () hnsecurity it>
* Date: 2025-04-23
* CVE ID: CVE-2025-1731 (see discussion in "5 - Remediation" below)...

Full Disclosure

APPLE-SA-04-16-2025-4 visionOS 2.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-4 visionOS 2.4.1

visionOS 2.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122402.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: Apple Vision Pro
Impact: Processing an audio stream in a maliciously crafted media file
may result in...

Full Disclosure

APPLE-SA-04-16-2025-3 tvOS 18.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-3 tvOS 18.4.1

tvOS 18.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122401.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing an audio stream in a maliciously crafted media file...

Full Disclosure

APPLE-SA-04-16-2025-2 macOS Sequoia 15.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-2 macOS Sequoia 15.4.1

macOS Sequoia 15.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122400.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: macOS Sequoia
Impact: Processing an audio stream in a maliciously crafted media file
may...

Full Disclosure

APPLE-SA-04-16-2025-1 iOS 18.4.1 and iPadOS 18.4.1

Posted by Apple Product Security via Fulldisclosure on Apr 23

APPLE-SA-04-16-2025-1 iOS 18.4.1 and iPadOS 18.4.1

iOS 18.4.1 and iPadOS 18.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122282.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

CoreAudio
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch
3rd generation and...

Full Disclosure

Business Logic Flaw: Price Manipulation - AlegroCartv1.2.9

Posted by Andrey Stoykov on Apr 23

# Exploit Title: Business Logic Flaw: Price Manipulation - alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Business Logic Flaw: Price Manipulation #1:

Steps to Reproduce:

1. Visit the store and add a product
2. Intercept the HTTP GET request and add negative value to the "quantity"
parameter

// HTTP GET request

GET...

Full Disclosure

Stored XSS in "Message" Functionality - AlegroCartv1.2.9

Posted by Andrey Stoykov on Apr 23

# Exploit Title: Stored XSS in "Message" Functionality - alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS #1:

Steps to Reproduce:

1. Login as demonstrator account and visit "Customers" > "Newsletter"
2. In "Message" use the following XSS payload

<iframe srcdoc="<img src=x...

Full Disclosure

XSS via SVG Image Upload - AlegroCartv1.2.9

Posted by Andrey Stoykov on Apr 23

# Exploit Title: XSS via SVG Image Upload - alegrocartv1.2.9
# Date: 04/2025
# Exploit Author: Andrey Stoykov
# Version: 1.2.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

XSS via SVG Image Upload:

Steps to Reproduce:

1. Visit http://192.168.58.129/alegrocart/administrator/?controller=download
2. Upload SVG image file with the contents below
3. Intercept the POST request and change the Content-Type to "Content-Type:...

Full Disclosure

BBOT 2.1.0 - Local Privilege Escalation via Malicious Module Execution

Posted by Housma mardini on Apr 23

Hi Full Disclosure,

I'd like to share a local privilege escalation technique involving BBOT
(Bighuge BLS OSINT Tool) when misconfigured with sudo access.

---

Exploit Title: BBOT 2.1.0 - Local Privilege Escalation via Malicious Module
Execution
Date: 2025-04-16
Exploit Author: Huseyin Mardinli
Vendor Homepage: https://github.com/blacklanternsecurity/bbot
Version: 2.1.0.4939rc (tested)
Tested on: Kali Linux Rolling (2025.1)
CVE: N/A...

Exploit-DB Updates

[local] tar-fs 3.0.0 - Arbitrary File Write/Overwrite

tar-fs 3.0.0 - Arbitrary File Write/Overwrite

Exploit-DB Updates

[webapps] WordPress Core 6.2 - Directory Traversal

WordPress Core 6.2 - Directory Traversal

Exploit-DB Updates

[local] Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege

Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege

Exploit-DB Updates

[remote] OpenSSH server (sshd) 9.8p1 - Race Condition

OpenSSH server (sshd) 9.8p1 - Race Condition

Exploit-DB Updates

[remote] WonderCMS 3.4.2 - Remote Code Execution (RCE)

WonderCMS 3.4.2 - Remote Code Execution (RCE)

Exploit-DB Updates

[remote] code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)

code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)

Exploit-DB Updates

[remote] Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution

Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution

Exploit-DB Updates

[local] Microsoft Windows 11 - Kernel Privilege Escalation

Microsoft Windows 11 - Kernel Privilege Escalation

Exploit-DB Updates

[webapps] FoxCMS 1.2.5 - Remote Code Execution (RCE)

FoxCMS 1.2.5 - Remote Code Execution (RCE)

Exploit-DB Updates

[webapps] Drupal 11.x-dev - Full Path Disclosure

Drupal 11.x-dev - Full Path Disclosure

Exploit-DB Updates

[webapps] UJCMS 9.6.3 - User Enumeration via IDOR

UJCMS 9.6.3 - User Enumeration via IDOR

Exploit-DB Updates

[webapps] KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection

KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection

Exploit-DB Updates

[webapps] Tatsu 3.3.11 - Unauthenticated RCE

Tatsu 3.3.11 - Unauthenticated RCE

Exploit-DB Updates

[webapps] Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

Exploit-DB Updates

[webapps] Apache Commons Text 1.10.0 - Remote Code Execution

Apache Commons Text 1.10.0 - Remote Code Execution

Exploit-DB Updates

[remote] Langflow 1.3.0 - Remote Code Execution (RCE)

Langflow 1.3.0 - Remote Code Execution (RCE)

Exploit-DB Updates

[webapps] Inventio Lite 4 - SQL Injection

Inventio Lite 4 - SQL Injection

Exploit-DB Updates

[webapps] Blood Bank & Donor Management System 2.4 - CSRF Improper Input Validation

Blood Bank & Donor Management System 2.4 - CSRF Improper Input Validation

Exploit-DB Updates

[local] AnyDesk 9.0.1 - Unquoted Service Path

AnyDesk 9.0.1 - Unquoted Service Path

Exploit-DB Updates

[webapps] compop.ca 3.5.3 - Arbitrary code Execution

compop.ca 3.5.3 - Arbitrary code Execution

Exploit-DB Updates

[webapps] Usermin 2.100 - Username Enumeration

Usermin 2.100 - Username Enumeration

Exploit-DB Updates

[hardware] ABB Cylon Aspect 3.08.02 (deployStart.php) - Unauthenticated Command Execution

ABB Cylon Aspect 3.08.02 (deployStart.php) - Unauthenticated Command Execution

Exploit-DB Updates

[hardware] ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) - Authenticated Path Traversal

ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) - Authenticated Path Traversal

Exploit-DB Updates

[webapps] Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE)

Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE)

Exploit-DB Updates

[webapps] IBMi Navigator 7.5 - HTTP Security Token Bypass

IBMi Navigator 7.5 - HTTP Security Token Bypass

Exploit-DB Updates

[remote] TP-Link VN020 F3v(T) TT_V6.2.1021 - Buffer Overflow Memory Corruption

TP-Link VN020 F3v(T) TT_V6.2.1021 - Buffer Overflow Memory Corruption

Exploit-DB Updates

[remote] TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)

TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)

Exploit-DB Updates

[hardware] ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS

ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS

Exploit-DB Updates

[webapps] phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames

phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames

Exploit-DB Updates

[hardware] ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) - File Write DoS

ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) - File Write DoS

Exploit-DB Updates

[remote] WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page

WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page

Exploit-DB Updates

[webapps] ProConf 6.0 - Insecure Direct Object Reference (IDOR)

ProConf 6.0 - Insecure Direct Object Reference (IDOR)

Exploit-DB Updates

[webapps] Ethercreative Logs 3.0.3 - Path Traversal

Ethercreative Logs 3.0.3 - Path Traversal

Exploit-DB Updates

[webapps] FLIR AX8 1.46.16 - Remote Command Injection

FLIR AX8 1.46.16 - Remote Command Injection

Exploit-DB Updates

[webapps] Car Rental Project 1.0 - Remote Code Execution

Car Rental Project 1.0 - Remote Code Execution

Exploit-DB Updates

[local] Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account

Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account

Exploit-DB Updates

[local] ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)

ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)