[webapps] Lingdang CRM 8.6.4.7 - SQL Injection

Lingdang CRM 8.6.4.7 - SQL Injection

[remote] Ivanti Endpoint Manager Mobile 12.5.0.0 - Authentication Bypass

Ivanti Endpoint Manager Mobile 12.5.0.0 - Authentication Bypass

[webapps] Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure

Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure

[webapps] StoryChief Wordpress Plugin 1.0.42 - Arbitrary File Upload

StoryChief Wordpress Plugin 1.0.42 - Arbitrary File Upload

[local] GeoVision ASManager Windows Application 6.1.2.0 - Credentials Disclosure

GeoVision ASManager Windows Application 6.1.2.0 - Credentials Disclosure

[remote] GeoVision ASManager Windows Application 6.1.2.0 - Remote Code Execution (RCE)

GeoVision ASManager Windows Application 6.1.2.0 - Remote Code Execution (RCE)

Multi-Protocol Traceroute

Posted by Usman Saeed via Fulldisclosure on Aug 18

#!/usr/bin/env python3
"""
Adaptive Multi-Protocol Traceroute

Author: Usman Saeed
email: u () defzero net<mailto:u () defzero net>
Website: www.defzero.net<http://www.defzero.net>

Description:
This script is a TTL-based path mapper that reveals routes even when classic traceroute is
filtered. The idea was that it would run in passes: first a conventional trace (ICMP Echo and
rotating TCP SYN ports) to capture the...

SEC Consult SA-20250728-0 :: Stored Cross-Site-Scripting in Optimizely Episerver CMS

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Aug 18

Confidentiality class: Internal & Partner

SEC Consult Vulnerability Lab Security Advisory < publishing date 20250728-0 >
=======================================================================
title: Multiple Stored Cross-Site Scripting Vulnerabilities
product: Optimizely Episerver Content Management System (EPiServer.CMS.Core)
vulnerable version: Version 11.X: <11.21.4
Version 12.X:...

SEC Consult SA-20250807-0 :: Race Condition in Shopware Voucher Submission

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Aug 18

Confidentiality class: Internal & Partner

SEC Consult Vulnerability Lab Security Advisory < publishing date 20250807-0 >
=======================================================================
title: Race Condition in Shopware Voucher Submission
product: Shopware 6
vulnerable version: v6.6.10.4
fixed version: No fixed version available yet
CVE number: CVE-2025-7954
impact: medium...

Insufficient Resource Allocation Limits in nopCommerce v4.10 and v4.80.3 Excel Import Functionality

Posted by Ron E on Aug 18

nopCommerce is vulnerable to Insufficient Resource Allocation Limits when
handling large Excel file imports. Although the application provides a
warning message recommending that users avoid importing more than 500–1,000
records at once due to memory constraints, the system does not enforce hard
limits on file size, record count, or concurrent imports.

An attacker can exploit this by uploading excessively large Excel files or
automating...

CSV Injection in nopcommerce v4.10 and 4.80.3

Posted by Ron E on Aug 18

nopCommerce versions v4.10 and v4.80.3 are vulnerable to *C*SV Injection
(Formula Injection) when exporting data to CSV. The application does not
properly sanitize user-supplied input before including it in CSV export
files.

An attacker can inject malicious spreadsheet formulas into fields that will
later be exported (for example, order details, product names, or customer
information). When the exported file is opened in spreadsheet software...

Insufficient Session Cookie Invalidation in nopCommerce v4.10 and 4.80.3

Posted by Ron E on Aug 18

nopCommerce v4.10 and 4.80.3 is vulnerable to Insufficient Invalidation of
Session Cookies. The application does not properly invalidate or expire
authentication cookies after logout or session termination.

An attacker who obtains a valid session cookie (e.g., via network
interception, XSS, or system compromise) can continue to use the cookie to
access privileged endpoints (such as /Admin) even after the legitimate user
has logged out. This flaw...

Session Fixation Vulnerability in iDempiere WebUI v 12.0.0.202508171158

Posted by Ron E on Aug 18

The application does not issue a new session identifier (JSESSIONID) after
successful authentication. An attacker who can set or predict a victim’s
session ID prior to login may hijack the victim’s authenticated session
once they log in, resulting in full account takeover.

POST /webui HTTP/2

Host: <host>

Cookie: JSESSIONID=node01***.node0;

CSV Injection in iDempiere WebUI 12.0.0.202508171158

Posted by Ron E on Aug 18

A CSV Injection vulnerability exists in iDempiere WebUI
v12.0.0.202508171158. The application fails to properly sanitize
user-supplied input before including it in exported CSV files. An
authenticated attacker can inject malicious spreadsheet formulas
(e.g., =cmd|'/C
notepad'!A1) into fields that are later exported. When the CSV is opened in
spreadsheet software such as Microsoft Excel or LibreOffice Calc, the
injected formula is...

liblcf v0.8.1 liblcf/lcf2xml: Untrusted LCF data triggers uncaught std::length_error via negative vector resize (DoS)

Posted by Ron E on Aug 18

lcf2xml (part of liblcf) aborts when parsing specially crafted RPG Maker
2000/2003 files that supply a negative element count for vectors of
structured records. The generic reader:

template <class S>

void Struct<S>::ReadLcf(std::vector<S>& vec, LcfReader& stream) {

int count = stream.ReadInt();

vec.resize(count); // <— negative -> huge size_t -> throws
length_error

for (int i = 0; i...

liblcf v0.8.1 Integer Overflow in liblcf `ReadInt()` Leads to Out-of-Bounds Reads and Denial of Service

Posted by Ron E on Aug 18

A crafted RPG Maker save file (`.lsd`) can trigger an integer overflow in
liblcf’s lcfstrings compressed integer decoding logic
(`LcfReader::ReadInt()`), resulting in an unbounded shift and accumulation
loop. The overflowed value is later used in buffer size allocations and
structure parsing, causing large memory access requests and parsing errors.

*Steps to Reproduce*

1. Use the attached `.lsd` file (see PoC section).

2. Run: `./lcfstrings...

Piciorgros TMO-100: Unauthorized configuration change via TFTP (CVE-2025-29617)

Posted by Georg Lukas on Aug 18

<PDF advisory:
https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_TFTP_en.pdf >

Classification
--------------

- CWE-306: Missing Authentication for Critical Function

- CWE-940: Improper Verification of Source of a Communication Channel

- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

- CVSS 4.0 Score: 8.4 / High
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:N/SA:H

- CVSS 3.1 Score: 8.3...

Piciorgros TMO-100: Unauthorized log data access

Posted by Georg Lukas on Aug 18

PDF advisory: https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_IP-Logger_en.pdf

Classification
--------------

- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

- CVSS 4.0 Score: 5.3 / Medium
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

- CVSS 3.1 Score: 4.3 / Medium
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected systems
----------------

- Piciorgros TMO-100 V3/V4 with software version...

[tool] CRSprober

Posted by Jozef Sudolsky on Aug 18

Dear community,

I’d like to share a small tool I’ve recently released - CRSprober.

This utility is designed to remotely detect the version of the OWASP
CRS as well as the configured paranoia level on a target protected by
ModSecurity + CRS.

It works by sending specific payloads and analyzing the WAF's
responses to determine this information. This can be useful for
testing, research, or verification purposes, especially when...

iOS 18.6 - Undocumented TCC Access to Multiple Privacy Domains via preflight=yes

Posted by josephgoyd via Fulldisclosure on Aug 18

TITLE: Undocumented TCC Access to Multiple Privacy Domains via 'preflight=yes' in iOS 18.6
AUTHOR: Joseph Goydish II
DISCOVERY DATE: 2025-08-13
DEVICE: iPhone 14 Pro Max
OS VERSION: iOS 18.6 (non-jailbroken, stock)
SEVERITY: High
ACCESS: USB debugging or local log access
IMPACT: Silent, undocumented system access to sensitive user data across multiple TCC domains...

[webapps] RiteCMS 3.0.0 - Reflected Cross Site Scripting (XSS)

RiteCMS 3.0.0 - Reflected Cross Site Scripting (XSS)

[webapps] Lantronix Provisioning Manager 7.10.3 - XML External Entity Injection (XXE)

Lantronix Provisioning Manager 7.10.3 - XML External Entity Injection (XXE)

[webapps] BigAnt Office Messenger 5.6.06 - SQL Injection

BigAnt Office Messenger 5.6.06 - SQL Injection

[remote] PHPMyAdmin 3.0 - Bruteforce Login Bypass

PHPMyAdmin 3.0 - Bruteforce Login Bypass

[remote] Microsoft Windows 10.0.19045 - NTLMv2 Hash Disclosure

Microsoft Windows 10.0.19045 - NTLMv2 Hash Disclosure

[webapps] Soosyze CMS 2.0 - Brute Force Login

Soosyze CMS 2.0 - Brute Force Login

[remote] Tenda AC20 16.03.08.12 - Command Injection

Tenda AC20 16.03.08.12 - Command Injection

Kigen eUICC issue (custom backdoor vs. FW update bug)

Posted by Security Explorations on Aug 12

Dear All,

On Jul 28, 2025 we provided Kigen with a report describing new security
issue potentially affecting company's eUICC cards. We did it regardless
of Kigen refusal to provide us with patches / patching instructions, so
that we could verify the content / quality of the fixes released by the
company for previously reported JavaCard issues [1] (more on that and
patching formula proposed by the company can be found on eSIM project...

PlayReady Activation protocol issues (weak auth / fake client identities)

Posted by Security Explorations on Aug 12

Dear All,

PlayReady Communication Protocols [1] include services for PlayReady
clients (such as Secure Clock), device owner's services (Activation /
Provisioning) and content service (License Server).

Back in 2022, we reported to Microsoft an issue pertaining to no auth at
PlayReady license server end, which was evaluated by Microsoft as no bug.

There is yet another auth issue, which builds on the above and affects
PlayReady Activation...

[webapps] atjiu pybbs 6.0.0 - Cross Site Scripting (XSS)

atjiu pybbs 6.0.0 - Cross Site Scripting (XSS)

[local] Microsoft Windows - Storage QoS Filter Driver Checker

Microsoft Windows - Storage QoS Filter Driver Checker

[webapps] Grav CMS 1.7.48 - Remote Code Execution (RCE)

Grav CMS 1.7.48 - Remote Code Execution (RCE)

[remote] Citrix NetScaler ADC/Gateway 14.1 - Memory Disclosure

Citrix NetScaler ADC/Gateway 14.1 - Memory Disclosure

[remote] Tigo Energy Cloud Connect Advanced (CCA) 4.0.1 - Command Injection

Tigo Energy Cloud Connect Advanced (CCA) 4.0.1 - Command Injection

[webapps] Microsoft Edge Renderer Process (Mojo IPC) 134.0.6998.177 - Sandbox Escape

Microsoft Edge Renderer Process (Mojo IPC) 134.0.6998.177 - Sandbox Escape

[webapps] VMware vSphere Client 8.0.3.0 - Reflected Cross-Site Scripting (XSS)

VMware vSphere Client 8.0.3.0 - Reflected Cross-Site Scripting (XSS)

[remote] Microsoft SharePoint Server 2019 (16.0.10383.20020) - Remote Code Execution (RCE)

Microsoft SharePoint Server 2019 (16.0.10383.20020) - Remote Code Execution (RCE)

[remote] Belkin F9K1009 F9K1010 2.00.04/2.00.09 - Hard Coded Credentials

Belkin F9K1009 F9K1010 2.00.04/2.00.09 - Hard Coded Credentials

[webapps] Ghost CMS 5.42.1 - Path Traversal

Ghost CMS 5.42.1 - Path Traversal

[webapps] Ghost CMS 5.59.1 - Arbitrary File Read

Ghost CMS 5.59.1 - Arbitrary File Read

[webapps] projectworlds Online Admission System 1.0 - SQL Injection

projectworlds Online Admission System 1.0 - SQL Injection

[remote] Cisco ISE 3.0 - Authorization Bypass

Cisco ISE 3.0 - Authorization Bypass

[webapps] JetBrains TeamCity 2023.11.4 - Authentication Bypass

JetBrains TeamCity 2023.11.4 - Authentication Bypass

[webapps] ServiceNow Multiple Versions - Input Validation & Template Injection

ServiceNow Multiple Versions - Input Validation & Template Injection

[remote] Cisco ISE 3.0 - Remote Code Execution (RCE)

Cisco ISE 3.0 - Remote Code Execution (RCE)

Defense in depth -- the Microsoft way (part 91): yet another 30 year old bug of the "Properties" shell extension

Posted by Stefan Kanthak via Fulldisclosure on Aug 04

Hi @ll,

this extends the previous post titled Defense in depth -- the
Microsoft way (part 90): "Digital Signature" property sheet
missing without "Read Extended Attributes" access permission
<https://seclists.org/fulldisclosure/2025/Jul/39>, to document
another facette of this 30 year old bug in the "Properties" shell
extension.

About 35 years ago Microsoft began to implement their "New Technology
File...

[remote] Microsoft Edge (Chromium-based) 135.0.7049.114/.115 - Information Disclosure

Microsoft Edge (Chromium-based) 135.0.7049.114/.115 - Information Disclosure

[webapps] Gandia Integra Total 4.4.2236.1 - SQL Injection

Gandia Integra Total 4.4.2236.1 - SQL Injection

[webapps] Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)

Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)

[webapps] LPAR2RRD 8.04 - Remote Code Execution (RCE)

LPAR2RRD 8.04 - Remote Code Execution (RCE)

[remote] Swagger UI 1.0.3 - Cross-Site Scripting (XSS)

Swagger UI 1.0.3 - Cross-Site Scripting (XSS)

[webapps] Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation

Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation

[local] Microsoft Virtual Hard Disk (VHDX) 11 - Remote Code Execution (RCE)

Microsoft Virtual Hard Disk (VHDX) 11 - Remote Code Execution (RCE)

Rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration (CVSS v4.0 Score: 9.3 / Critical)

Posted by Sandro Gauci via Fulldisclosure on Aug 02

Rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration (CVSS v4.0 Score: 9.3 / Critical)

- CVSS v4.0
- Exploitability: High
- Complexity: Low
- Vulnerable system: Medium
- Subsequent system: Medium
- Exploitation: High
- Security requirements: High
- Vector: https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H
- Other references:...

APPLE-SA-07-30-2025-1 Safari 18.6

Posted by Apple Product Security via Fulldisclosure on Aug 02

APPLE-SA-07-30-2025-1 Safari 18.6

Safari 18.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124152.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

libxml2
Available for: macOS Ventura and macOS Sonoma
Impact: Processing a file may lead to memory corruption
Description: This is a...

Defense in depth -- the Microsoft way (part 90): "Digital Signature" property sheet missing without "Read Extended Attributes" access permission

Posted by Stefan Kanthak via Fulldisclosure on Jul 29

Hi @ll,

about 35 years ago Microsoft began to implement their "New Technology
File System" (NTFS) for their upcoming Windows NT operating system.
NTFS supports the extended attributes of the HPFS file system which
Microsoft and IBM had developed for their OS/2 operating system before.
NTFS' initial version, released with Windows NT 3.1 in 1993, had no
access control; this was added for Windows NT 3.5, released one year
later, with...

St. Pölten UAS 20250721-0 | Multiple Vulnerabilities in Helmholz Industrial Router REX100 / mbNET.mini

Posted by Thomas Weber | CyberDanube via Fulldisclosure on Jul 29

St. Pölten UAS 20250721-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities in REX100
product| Helmholz Industrial Router REX100 / mbNET.mini
vulnerable version| < 2.3.3
fixed version| 2.3.3
CVE number| CVE-2025-41673, CVE-2025-41674, CVE-2025-41675,
| CVE-2025-41676, CVE-2025-41677, CVE-2025-41678,...

APPLE-SA-07-29-2025-8 visionOS 2.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-8 visionOS 2.6

visionOS 2.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124154.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

afclip
Available for: Apple Vision Pro
Impact: Parsing a file may lead to an unexpected app termination
Description: The issue was...

APPLE-SA-07-29-2025-7 tvOS 18.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-7 tvOS 18.6

tvOS 18.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124153.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

afclip
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Parsing a file may lead to an unexpected app termination
Description:...

APPLE-SA-07-29-2025-6 watchOS 11.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-6 watchOS 11.6

watchOS 11.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124155.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

afclip
Available for: Apple Watch Series 6 and later
Impact: Parsing a file may lead to an unexpected app termination
Description: The...