Full Disclosure

Defense in depth -- the Microsoft way (part 91): yet another 30 year old bug of the "Properties" shell extension

Posted by Stefan Kanthak via Fulldisclosure on Aug 04

Hi @ll,

this extends the previous post titled Defense in depth -- the
Microsoft way (part 90): "Digital Signature" property sheet
missing without "Read Extended Attributes" access permission
<https://seclists.org/fulldisclosure/2025/Jul/39>, to document
another facette of this 30 year old bug in the "Properties" shell
extension.

About 35 years ago Microsoft began to implement their "New Technology
File...

Full Disclosure

Rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration (CVSS v4.0 Score: 9.3 / Critical)

Posted by Sandro Gauci via Fulldisclosure on Aug 02

Rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration (CVSS v4.0 Score: 9.3 / Critical)

- CVSS v4.0
- Exploitability: High
- Complexity: Low
- Vulnerable system: Medium
- Subsequent system: Medium
- Exploitation: High
- Security requirements: High
- Vector: https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H
- Other references:...

Full Disclosure

APPLE-SA-07-30-2025-1 Safari 18.6

Posted by Apple Product Security via Fulldisclosure on Aug 02

APPLE-SA-07-30-2025-1 Safari 18.6

Safari 18.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124152.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

libxml2
Available for: macOS Ventura and macOS Sonoma
Impact: Processing a file may lead to memory corruption
Description: This is a...

Full Disclosure

Defense in depth -- the Microsoft way (part 90): "Digital Signature" property sheet missing without "Read Extended Attributes" access permission

Posted by Stefan Kanthak via Fulldisclosure on Jul 29

Hi @ll,

about 35 years ago Microsoft began to implement their "New Technology
File System" (NTFS) for their upcoming Windows NT operating system.
NTFS supports the extended attributes of the HPFS file system which
Microsoft and IBM had developed for their OS/2 operating system before.
NTFS' initial version, released with Windows NT 3.1 in 1993, had no
access control; this was added for Windows NT 3.5, released one year
later, with...

Full Disclosure

St. Pölten UAS 20250721-0 | Multiple Vulnerabilities in Helmholz Industrial Router REX100 / mbNET.mini

Posted by Thomas Weber | CyberDanube via Fulldisclosure on Jul 29

St. Pölten UAS 20250721-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities in REX100
product| Helmholz Industrial Router REX100 / mbNET.mini
vulnerable version| < 2.3.3
fixed version| 2.3.3
CVE number| CVE-2025-41673, CVE-2025-41674, CVE-2025-41675,
| CVE-2025-41676, CVE-2025-41677, CVE-2025-41678,...

Full Disclosure

APPLE-SA-07-29-2025-8 visionOS 2.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-8 visionOS 2.6

visionOS 2.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124154.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

afclip
Available for: Apple Vision Pro
Impact: Parsing a file may lead to an unexpected app termination
Description: The issue was...

Full Disclosure

APPLE-SA-07-29-2025-7 tvOS 18.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-7 tvOS 18.6

tvOS 18.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124153.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

afclip
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Parsing a file may lead to an unexpected app termination
Description:...

Full Disclosure

APPLE-SA-07-29-2025-6 watchOS 11.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-6 watchOS 11.6

watchOS 11.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124155.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

afclip
Available for: Apple Watch Series 6 and later
Impact: Parsing a file may lead to an unexpected app termination
Description: The...

Full Disclosure

APPLE-SA-07-29-2025-5 macOS Ventura 13.7.7

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-5 macOS Ventura 13.7.7

macOS Ventura 13.7.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124151.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Ventura
Impact: An app may be able to cause a denial-of-service
Description: A...

Full Disclosure

APPLE-SA-07-29-2025-4 macOS Sonoma 14.7.7

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-4 macOS Sonoma 14.7.7

macOS Sonoma 14.7.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124150.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Sonoma
Impact: An app may be able to cause a denial-of-service
Description: A path...

Full Disclosure

APPLE-SA-07-29-2025-3 macOS Sequoia 15.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-3 macOS Sequoia 15.6

macOS Sequoia 15.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124149.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Sequoia
Impact: An app may be able to cause a denial-of-service
Description: A path...

Full Disclosure

APPLE-SA-07-29-2025-2 iPadOS 17.7.9

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-2 iPadOS 17.7.9

iPadOS 17.7.9 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124148.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch,
and iPad 6th generation
Impact: Privacy...

Full Disclosure

APPLE-SA-07-29-2025-1 iOS 18.6 and iPadOS 18.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-1 iOS 18.6 and iPadOS 18.6

iOS 18.6 and iPadOS 18.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124147.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and...

Full Disclosure

Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability

Posted by Egidio Romano on Jul 29

----------------------------------------------------------------------------
Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability
----------------------------------------------------------------------------

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

Certain 4.x versions before 4.7.21.

[-] Vulnerability Description:

The vulnerability is located within the...

Full Disclosure

CVE‑2025‑52187 – Stored XSS in School Management System (PHP/MySQL)

Posted by Sanjay Singh on Jul 29

Hello Full Disclosure community,

I’m sharing details of a recently assigned CVE affecting a widely used
open‑source School Management System (PHP/MySQL).

--------------------------------------------
CVE ID: CVE‑2025‑52187
Vulnerability Type: Stored Cross‑Site Scripting (XSS)
Attack Vector: Remote
Discoverer: Sanjay Singh
Vendor Repository:
https://github.com/GetProjectsIdea/Create-School-Management-System-with-PHP-MySQL
Version...

Full Disclosure

Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting Vulnerability

Posted by Egidio Romano on Jul 29

-----------------------------------------------------------------------------------------
Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting
Vulnerability
-----------------------------------------------------------------------------------------

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

Certain 4.x versions before 4.7.21.
All 5.x versions before 5.0.8.

[-] Vulnerability Description:...

Full Disclosure

Re: Multiple vulnerabilities in the web management interface of Intelbras routers

Posted by Palula Brasil on Jul 29

The following snippet in the text is associated to the wrong CVE number:
2.2 Possibility of injecting JavaScript code into the name of the visiting
network (XSS) - CVE-2025-26064

The correct CVE number for item 2.2 is CVE-2025-26065.

Full Disclosure

Stored XSS "Edit General Info" Functionality - seotoasterv2.5.0

Posted by Andrey Stoykov on Jul 29

# Exploit Title: Stored XSS "Edit General Info" Functionality -
seotoasterv2.5.0
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 2.5.0
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS "Edit General Info" Functionality #3:

Steps to Reproduce

1. Login with admin and visit "Website ID Card" > "Website Id Card"
2. In the "Organization Name" add the following...

Full Disclosure

Stored XSS "Create Page" Functionality - seotoasterv2.5.0

Posted by Andrey Stoykov on Jul 29

# Exploit Title: Stored XSS "Create Page" Functionality - seotoasterv2.5.0
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 2.5.0
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS "Create Page" Functionality #1:

Steps to Reproduce

1. Login with admin and visit "Pages" > "Create a Page"
2. In the "Meta Description" add the following payload...

Full Disclosure

Open Redirect "Login Page" Functionality - seotoasterv2.5.0

Posted by Andrey Stoykov on Jul 29

# Exploit Title: Open Redirect "Login Page" Functionality - seotoasterv2.5.0
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 2.5.0
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Open Redirect "Login Page" Functionality #1:

Steps to Reproduce

Login to the application and then add the Referer header to attacker domain

// HTTP POST Request

POST /seotoaster/go HTTP/1.1
Host: 192.168.58.149...

Full Disclosure

Stored XSS "Edit Header" Functionality - seotoasterv2.5.0

Posted by Andrey Stoykov on Jul 29

# Exploit Title: Stored XSS "Edit Header" Functionality - seotoasterv2.5.0
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 2.5.0
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS "Edit Header" Functionality #1:

Steps to Reproduce:

Login as admin user and visit "News"
Click on "Edit Header Content" and enter the payload "><img src=x
onerror=alert(1)>

//...

Full Disclosure

[KIS-2025-04] SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Vulnerability

Posted by Egidio Romano on Jul 29

------------------------------------------------------------------
SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Vulnerability
------------------------------------------------------------------

[-] Software Link:

https://www.sugarcrm.com

[-] Affected Versions:

All commercial versions before 13.0.4 and 14.0.1.

[-] Vulnerability Description:

User input passed through GET parameters to the /css/preview REST API
endpoint is not...

Full Disclosure

AK-Nord USB-Server-LXL privilege escalation and code execution (CVE-2025-52361)

Posted by Marcus Krueppel on Jul 29

================== Overview ==================
TL;DR: Using the low-privilege "admin" user account via SSH on the IoT device "USB-Server-LXL" [1], it is possible to
modify the script /etc/init.d/lighttpd which is executed by root upon restart, leading to arbitrary code execution with
root privileges.

CVE: CVE-2025-52361
Suggested CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Suggested CVSS...

Full Disclosure

KL-001-2025-016: Xorux LPAR2RRD File Upload Directory Traversal

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 28

KL-001-2025-016: Xorux LPAR2RRD File Upload Directory Traversal

Title: Xorux LPAR2RRD File Upload Directory Traversal
Advisory ID: KL-001-2025-016
Publication Date: 2025-07-28
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-016.txt

1. Vulnerability Details

     Affected Vendor: Xorux
     Affected Product: LPAR2RRD
     Affected Version: 8.04 and prior
     Platform: Rocky Linux 8.10
     CWE...

Full Disclosure

KL-001-2025-015: Xorux LPAR2RRD Read Only User Log Download Exposing Sensitive Information

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 28

KL-001-2025-015: Xorux LPAR2RRD Read Only User Log Download Exposing Sensitive Information

Title: Xorux LPAR2RRD Read Only User Log Download Exposing Sensitive Information
Advisory ID: KL-001-2025-015
Publication Date: 2025-07-28
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-015.txt

1. Vulnerability Details

     Affected Vendor: Xorux
     Affected Product: LPAR2RRD
     Affected Version: 8.04 and prior...

Full Disclosure

KL-001-2025-014: Xorux LPAR2RRD Read Only User Denial of Service

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 28

KL-001-2025-014: Xorux LPAR2RRD Read Only User Denial of Service

Title: Xorux LPAR2RRD Read Only User Denial of Service
Advisory ID: KL-001-2025-014
Publication Date: 2025-07-28
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-014.txt

1. Vulnerability Details

     Affected Vendor: Xorux
     Affected Product: LPAR2RRD
     Affected Version: 8.04 and prior
     Platform: Rocky Linux 8.10
     CWE...

Full Disclosure

KL-001-2025-013: Xorux XorMon-NG Web Application Privilege Escalation to Administrator

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 28

KL-001-2025-013: Xorux XorMon-NG Web Application Privilege Escalation to Administrator

Title: Xorux XorMon-NG Web Application Privilege Escalation to Administrator
Advisory ID: KL-001-2025-013
Publication Date: 2025-07-28
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-013.txt

1. Vulnerability Details

     Affected Vendor: Xorux
     Affected Product: XorMon-NG
     Affected Version: 1.8 and prior...

Full Disclosure

KL-001-2025-012: Xorux XorMon-NG Read Only User Export Device Configuration Exposing Sensitive Information

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 28

KL-001-2025-012: Xorux XorMon-NG Read Only User Export Device Configuration Exposing Sensitive Information

Title: Xorux XorMon-NG Read Only User Export Device Configuration Exposing Sensitive Information
Advisory ID: KL-001-2025-012
Publication Date: 2025-07-28
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-012.txt

1. Vulnerability Details

     Affected Vendor: Xorux
     Affected Product: XorMon-NG
    ...

Full Disclosure

Multiple vulnerabilities in the web management interface of Intelbras routers

Posted by Gabriel Augusto Vaz de Lima via Fulldisclosure on Jul 19

=====[Tempest Security
Intelligence]==========================================

Multiple vulnerabilities in the web management interface of Intelbras
routers

Author: Gabriel Lima <gabriel lima () tempest com br >

=====[Table of
Contents]======================================================

1. Overview

2. Detailed description

3. Other contexts & solutions

4. Acknowledgements

5. Timeline

6. References

=====[1....

Full Disclosure

Missing Critical Security Headers in OpenBlow

Posted by Tifa Lockhart via Fulldisclosure on Jul 12

Advisory ID: OPENBLOW-2025-003
Title: Missing Critical Security Headers in OpenBlow
Date: 2025-07-12
Vendor: OpenBlow (openblow.it)
Severity: High
CVSS v3.1 Base Score: 8.2 (High)
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Summary:

Multiple public deployments of the OpenBlow whistleblowing software lack
critical HTTP security headers. These configurations expose users to client-side
vulnerabilities including XSS, clickjacking, API misuse, and...

Full Disclosure

SAP NetWeaver S/4HANA - ABAP Code Execution via Internal Function

Posted by Office nullFaktor GmbH on Jul 11

nullFaktor Security Advisory < 20250719 >
===========================================================
Title: ABAP Code Execution via Internal Function
Module WRITE_AND_CALL_DBPROG

Vulnerability: Exposed Dangerous Functionality

Product: SAP NetWeaver S/4HANA
Homepage: http://www.sap.com

Affected Version: S/4HANA, SAP_BASIS 757 SP 3
SAP Note: 3546011

Impact: High...

Full Disclosure

Tiki Wiki CMS Groupware <= 28.3 Two Server-Side Template Injection Vulnerabilities

Posted by Egidio Romano on Jul 09

----------------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 28.3 Two Server-Side Template Injection
Vulnerabilities
----------------------------------------------------------------------------------

[-] Software Link:

https://tiki.org

[-] Affected Versions:

Version 28.3 and prior 28.x versions.
Version 27.2 and prior 27.x versions.
Version 24.8 and prior 24.x versions.
Version 21.12 and...

Full Disclosure

KL-001-2025-011: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Server-Side Request Forgery

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 09

KL-001-2025-011: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Server-Side Request Forgery

Title: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Server-Side Request Forgery
Advisory ID: KL-001-2025-011
Publication Date: 2025-07-09
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-011.txt

1. Vulnerability Details

     Affected Vendor: Schneider Electric
     Affected...

Full Disclosure

KL-001-2025-010: Schneider Electric EcoStruxure IT Data Center Expert Privilege Escalation

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 09

KL-001-2025-010: Schneider Electric EcoStruxure IT Data Center Expert Privilege Escalation

Title: Schneider Electric EcoStruxure IT Data Center Expert Privilege Escalation
Advisory ID: KL-001-2025-010
Publication Date: 2025-07-09
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-010.txt

1. Vulnerability Details

     Affected Vendor: Schneider Electric
     Affected Product: EcoStruxure IT Data Center Expert...

Full Disclosure

KL-001-2025-009: Schneider Electric EcoStruxure IT Data Center Expert Remote Command Execution

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 09

KL-001-2025-009: Schneider Electric EcoStruxure IT Data Center Expert Remote Command Execution

Title: Schneider Electric EcoStruxure IT Data Center Expert Remote Command Execution
Advisory ID: KL-001-2025-009
Publication Date: 2025-07-09
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-009.txt

1. Vulnerability Details

     Affected Vendor: Schneider Electric
     Affected Product: EcoStruxure IT Data Center...

Full Disclosure

KL-001-2025-008: Schneider Electric EcoStruxure IT Data Center Expert Root Password Discovery

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 09

KL-001-2025-008: Schneider Electric EcoStruxure IT Data Center Expert Root Password Discovery

Title: Schneider Electric EcoStruxure IT Data Center Expert Root Password Discovery
Advisory ID: KL-001-2025-008
Publication Date: 2025-07-09
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-008.txt

1. Vulnerability Details

     Affected Vendor: Schneider Electric
     Affected Product: EcoStruxure IT Data Center...

Full Disclosure

KL-001-2025-007: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 09

KL-001-2025-007: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution

Title: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution
Advisory ID: KL-001-2025-007
Publication Date: 2025-07-09
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-007.txt

1. Vulnerability Details

     Affected Vendor: Schneider Electric
     Affected Product:...

Full Disclosure

KL-001-2025-006: Schneider Electric EcoStruxure IT Data Center Expert XML External Entities Injection

Posted by KoreLogic Disclosures via Fulldisclosure on Jul 09

KL-001-2025-006: Schneider Electric EcoStruxure IT Data Center Expert XML External Entities Injection

Title: Schneider Electric EcoStruxure IT Data Center Expert XML External Entities Injection
Advisory ID: KL-001-2025-006
Publication Date: 2025-07-09
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-006.txt

1. Vulnerability Details

     Affected Vendor: Schneider Electric
     Affected Product: EcoStruxure IT...

Full Disclosure

eSIM security research (GSMA eUICC compromise and certificate theft)

Posted by Security Explorations on Jul 09

Dear All,

We broke security of Kigen eUICC card with GSMA consumer certificates
installed into it.

The eUICC card makes it possible to install the so called eSIM profiles
into target chip. eSIM profiles are software representations of mobile
subscriptions. For many years such mobile subscriptions had a form of a
physical SIM card of various factors (SIM, microSIM, nonoSIM). With eSIM,
the subscription can come in a pure digital form (as a...

Full Disclosure

Directory Traversal "Site Title" - bluditv3.16.2

Posted by Andrey Stoykov on Jul 07

# Exploit Title: Directory Traversal "Site Title" - bluditv3.16.2
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 3.16.2
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Directory Traversal "Site Title" #1:

Steps to Reproduce:

1. Login with admin account and "General" > "General"
2. Set the "Site Title" to the following payload "../../../malicious"
3....

Full Disclosure

XSS via SVG File Uploa - bluditv3.16.2

Posted by Andrey Stoykov on Jul 07

# Exploit Title: XSS via SVG File Upload - bluditv3.16.2
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 3.16.2
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

XSS via SVG File Upload #1:

Steps to Reproduce:

1. Login with admin account and click on "General" > "Logo"

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"...

Full Disclosure

Stored XSS "Add New Content" Functionality - bluditv3.16.2

Posted by Andrey Stoykov on Jul 07

# Exploit Title: Stored XSS "Add New Content" Functionality - bluditv3.16.2
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 3.16.2
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS "Add New Content" Functionality #1:

Steps to Reproduce:

1. Login with admin account and visit "New Content"
2. In the "Source Code" field enter the following parameter...

Full Disclosure

Session Fixation - bluditv3.16.2

Posted by Andrey Stoykov on Jul 07

# Exploit Title: Session Fixation - bluditv3.16.2
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 3.16.2
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Session Fixation #1:

Steps to Reproduce:

Visit the login page. Login with valid user and observe that the sessionID
has not been changed

// HTTP POST request logging in

POST /bludit/admin/ HTTP/1.1
Host: 192.168.58.133
User-Agent: Mozilla/5.0 (Windows NT 10.0;...

Full Disclosure

iOS Activation Flaw Enables Pre-User Device Compromise and Identity Exposure (iOS 18.5)

Posted by josephgoyd via Fulldisclosure on Jun 30

Title: iOS Activation Flaw Enables Pre-User Device Compromise

Reported to Apple: May 19, 2025
Reported to US-CERT: May 19, 2025
US-CERT Case #: VU#346053
Vendor Status: Silent
Public Disclosure: June 26, 2025

------------------------------------------------------------------------
Summary
------------------------------------------------------------------------

A critical vulnerability exists in Apple’s iOS activation pipeline that
allows...

Full Disclosure

Remote DoS in httpx 1.7.0 – Out-of-Bounds Read via Malformed <title> Tag

Posted by Brian Carpenter via Fulldisclosure on Jun 25

Hey list,

You can remotely crash httpx v1.7.0 (by ProjectDiscovery) by serving a malformed <title> tag on your website. The bug
is a classic out-of-bounds read in trimTitleTags() due to a missing bounds check when slicing the title string. It
panics with:

panic: runtime error: slice bounds out of range [9:6]

Affects anyone using httpx in their automated scanning pipeline. One malformed HTML response = scanner down. Unit
testing or...

Full Disclosure

CVE-2025-32978 - Quest KACE SMA Unauthenticated License Replacement

Posted by Seralys Research Team via Fulldisclosure on Jun 23

Seralys Security Advisory | https://www.seralys.com/research

======================================================================
Title: Unauthenticated License Replacement
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April...

Full Disclosure

CVE-2025-32977 - Quest KACE Unauthenticated Backup Upload

Posted by Seralys Research Team via Fulldisclosure on Jun 23

Seralys Security Advisory | https://www.seralys.com/research

======================================================================
Title: Unauthenticated Backup Upload
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April 2025...

Full Disclosure

CVE-2025-32976 - Quest KACE SMA 2FA Bypass

Posted by Seralys Research Team via Fulldisclosure on Jun 23

Seralys Security Advisory | https://www.seralys.com/research

======================================================================
Title: 2FA Bypass
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April 2025
Severity: HIGH...

Full Disclosure

CVE-2025-32975 - Quest KACE SMA Authentication Bypass

Posted by Seralys Research Team via Fulldisclosure on Jun 23

Seralys Security Advisory | https://www.seralys.com/research

======================================================================
Title: Authentication Bypass
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April 2025
Severity:...

Full Disclosure

RansomLord (NG v1.0) anti-ransomware exploit tool

Posted by malvuln on Jun 23

First official NG versioned release with significant updates, fixes
and new features
https://github.com/malvuln/RansomLord/releases/tag/v1.0

RansomLord (NG) v1.0 Anti-Ransomware exploit tool.
Proof-of-concept tool that automates the creation of PE files, used to
exploit ransomware pre-encryption.

Lang: C
SHA256: ACB0C4EEAB421761B6C6E70B0FA1D20CE08247525641A7CD03B33A6EE3D35D8A

Deweaponize feature PoC video:...

Full Disclosure

Disclosure Yealink Cloud vulnerabilities

Posted by Jeroen Hermans via Fulldisclosure on Jun 23

Dear all,

---Abstract---
Yealink RPS contains several vulnerabilities that can lead to leaking of
PII and/or MITM attacks.
Some vulnerabilities are unpatched even after disclosure to the
manufacturer.
---/Abstract---

We are Stefan Gloor and Jeroen Hermans. We are independent computer
security researchers working on a disclosure process for critical
vulnerabilities we found in Yealink telecommunication devices and
infrastructure.
In the...

Full Disclosure

: "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)

Posted by josephgoyd via Fulldisclosure on Jun 17

"Glass Cage" – Sophisticated Zero-Click iMessage Exploit ChainEnabling Persistent iOS Compromise and Device Bricking

CVE-2025-24085, CVE-2025-24201(CNVD-2025-07885)

Author: Joseph Goydish II
Date: 06/10/2025
Release Type: Full Disclosure
Platform Affected: iOS 18.2 (confirmed zero-day at time of discovery)
Delivery Vector: iMessage (default configuration)
Impact: Remote Code Execution, Privilege Escalation, Keychain Exfiltration,...

Full Disclosure

SEC Consult SA-20250612-0 :: Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer)

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 17

SEC Consult Vulnerability Lab Security Advisory < 20250612-0 >
=======================================================================
title: Reflected Cross-Site Scripting
product: ONLYOFFICE Docs (DocumentServer)
vulnerable version: <=8.3.1
fixed version: 8.3.2 or higher
CVE number: CVE-2025-5301
impact: Medium
homepage: https://www.onlyoffice.com/...

Full Disclosure

SEC Consult SA-20250611-0 :: Undocumented Root Shell Access on SIMCom SIM7600G Modem

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 17

SEC Consult Vulnerability Lab Security Advisory < 20250611-0 >
=======================================================================
title: Undocumented Root Shell Access
product: SIMCom - SIM7600G Modem
vulnerable version: Firmware Revision: LE20B03SIM7600M21-A
fixed version: -
CVE number: CVE-2025-26412
impact: Medium
homepage: https://www.simcom.com...

Full Disclosure

Call for Applications: ERCIM STM WG 2025 Award for the Best Ph.D. Thesis on Security and Trust Management (July 31, 2025)

Posted by 0610648533 on Jun 17

========================================================================

CALL FOR APPLICATIONS

ERCIM STM WG 2025 Award for the

Best Ph.D. Thesis on Security and Trust Management

========================================================================

The European Research Consortium in Informatics and Mathematics (ERCIM)
has a technical WG on Security and Trust Management (STM) for performing
a series of activities, as research projects,...

Full Disclosure

SEC Consult SA-20250604-0 :: Local Privilege Escalation and Default Credentials in INDAMED - MEDICAL OFFICE (Medical practice management) Demo version

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 09

SEC Consult Vulnerability Lab Security Advisory < 20250604-0 >
=======================================================================
title: Local Privilege Escalation and Default Credentials
product: INDAMED - MEDICAL OFFICE (Medical practice management)
Demo version
vulnerable version: Revision 18544 (II/2024)
fixed version: Q2/2025 (Privilege Escalation, Default Password)...

Full Disclosure

Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft

Posted by josephgoyd via Fulldisclosure on Jun 09

Hello Full Disclosure,

This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and
remained unpatched through iOS 18.4. It enabled Secure Enclave key theft, wormable remote code execution, and
undetectable crypto wallet exfiltration. Despite responsible disclosure, the research was suppressed by the vendor.
Apple issued a silent fix in iOS 18.4.1 (April 2025) without public...

Full Disclosure

Defense in depth -- the Microsoft way (part 89): user group policies don't deserve tamper protection

Posted by Stefan Kanthak on Jun 03

Hi @ll,

user group policies are stored in DACL-protected registry keys
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
respectively [HKEY_CURRENT_USER\Software\Policies] and below, where
only the SYSTEM account and members of the "Administrators" user group
are granted write access.

At logon the user's registry hive "%USERPROFILE%\ntuser.dat" is loaded
with exclusive (read, write and...

Full Disclosure

CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0

Posted by Sanjay Singh on Jun 03

Hello Full Disclosure list,

I am sharing details of a newly assigned CVE affecting an open-source
educational software project:

------------------------------------------------------------------------
CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP
Project v1.0
------------------------------------------------------------------------

Product: CloudClassroom PHP Project
Vendor:...

Full Disclosure

ERPNext v15.53.1 Stored XSS in bio Field Allows Arbitrary Script Execution in Profile Page

Posted by Ron E on Jun 03

An authenticated attacker can inject JavaScript into the bio field of their
user profile. When the profile is viewed by another user, the injected
script executes.

*Proof of Concept:*

POST
/api/method/frappe.desk.page.user_profile.user_profile.update_profile_info
HTTP/2
Host: --host--

profile_info={"bio":"\"><img src=x onerror=alert(document.cookie)>"}