Full Disclosure

Defense in depth -- the Microsoft way (part 92): more stupid blunders of Windows' File Explorer

Posted by Stefan Kanthak via Fulldisclosure on Sep 08

Hi @ll,

this extends the two previous posts titled Defense in depth --
the Microsoft way (part 90): "Digital Signature" property sheet
missing without "Read Extended Attributes" access permission
<https://seclists.org/fulldisclosure/2025/Jul/39> and Defense
in depth -- the Microsoft way (part 91): yet another 30 year
old bug of the "Properties" shell extension
<https://seclists.org/fulldisclosure/2025/Aug/2...

Full Disclosure

Critical Security Report – Remote Code Execution via Persistent Discord WebRTC Automation

Posted by Taylor Newsome on Sep 08

Reporter: [Taylor Christian Newsome / SleepRaps () gmail com]
Date: [8/21/2025]
Target: Discord WebRTC / Voice Gateway API
Severity: Critical

1. Executive Summary
A proof-of-concept (PersistentRTC) demonstrates remote code execution (RCE)
capability against Discord users. The PoC enables
Arbitrary JavaScript execution in a victim’s browser context via WebRTC
automation.
Persistent access to Discord voice channels without user consent.
Optional...

Full Disclosure

Submission of Critical Firmware Parameters – PCIe HCA Cards

Posted by Taylor Newsome on Sep 08

*To:* support () mellanox com, networking-support () nvidia com

*From:* Taylor Christian Newsome

*Date:* August 20, 2025

*Dear Mellanox/NVIDIA Networking Support Team,*

I am writing to formally submit the critical firmware parameters for
Mellanox PCI Express Host Channel Adapter (HCA) cards, as detailed in the
official documentation available here:
https://content.mellanox.com/firmware/critical_params.txt.

This document specifies essential...

Full Disclosure

SEC Consult SA-20250908-0 :: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft "Stored Value" Unattended Payment Solution (Mifare)

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Sep 08

SEC Consult Vulnerability Lab Security Advisory < 20250908-0 >
=======================================================================
title: NFC Card Vulnerability Exploitation Leading to Free Top-Up
product: KioSoft "Stored Value" Unattended Payment Solution (Mifare)
vulnerable version: Current firmware/hardware as of Q2/2025
fixed version: No version numbers available
CVE number:...

Full Disclosure

FFmpeg 7.0+ Integer Overflow in FFmpeg cache: Protocol (CacheEntry::size)

Posted by Ron E on Sep 08

An integer overflow vulnerability exists in the FFmpeg cache: URL protocol
implementation. The CacheEntry structure uses a 32-bit signed integer to
store cache entry sizes (int size), but the cache layer can accumulate
cached data exceeding 2 GB. Once entry->size grows beyond INT_MAX and new
data is appended, an overflow occurs. This results in corrupted cache
metadata and can lead to logic errors, incorrect data reads, and possible...

Full Disclosure

FFmpeg 7.0+ Integer Overflow in DSCP Option Handling of FFmpeg UDP Protocol

Posted by Ron E on Sep 08

A vulnerability exists in the FFmpeg UDP protocol implementation (
libavformat/udp.c) where the dscp parameter is parsed from a URI and
left-shifted without bounds checking. Supplying a maximum 32-bit signed
integer (2147483647) triggers undefined behavior due to a left shift that
exceeds the representable range of int. This results in abnormal process
termination (DoS) and may lead to miscompiled logic or further memory
corruption depending on...

Full Disclosure

FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option)

Posted by Ron E on Sep 08

A signed integer overflow exists in FFmpeg’s udp.c implementation when
parsing the fifo_size option from a user-supplied UDP URL. The overflow
occurs during multiplication, which is used to compute the size of the
circular receive buffer. This can result in undefined behavior, allocation
failures, or potentially memory corruption depending on compiler
optimizations and downstream usage. (FFmpeg 7.0-8.0))
*Impact:*

-

Denial of Service...

Full Disclosure

FFmpeg 7.0+ LADSPA Filter Arbitrary Shared Object Loading via Unsanitized Environment Variables

Posted by Ron E on Sep 08

The ladspa audio filter implementation (libavfilter/af_ladspa.c) in FFmpeg
allows unsanitized environment variables to influence dynamic library
loading. Specifically, the filter uses getenv("LADSPA_PATH") and
getenv("HOME") when resolving the plugin shared object (.so) name provided
through the file option. These values are concatenated into a filesystem
path and passed directly into dlopen() without validation or...

Full Disclosure

FFmpeg 7.0+ NULL Pointer Dereference in FFmpeg String Handling (avstring.c)

Posted by Ron E on Sep 08

Improper validation in libavutil/avstring.c allows a NULL pointer
dereference when processing certain strings in HLS contexts. UBSan reports
"applying zero offset to null pointer." Triggers denial of service (DoS)
when FFmpeg processes malicious playlists or malformed URLs. (FFmpeg 7.0 –
8.0)

*Impact:*

-

Consistently crashes the process (DoS).
-

Exploitation beyond denial of service is unlikely on modern OSes.

*Proof...

Full Disclosure

FFmpeg 7.0+ Type Confusion in FFmpeg Function Pointer Calls (libavformat/utils.c)

Posted by Ron E on Sep 08

FFmpeg invokes function pointers through incorrect type casting, leading to
type confusion. UndefinedBehaviorSanitizer logs mismatched signatures in
utils.c:528. Crafted inputs can cause UB, misaligned function dispatch, and
possible arbitrary code execution depending on platform ABI. (FFmpeg 7.0 –
8.0)

*Impact:*

-

DoS in normal builds.
-

Potential information disclosure or RCE under certain
compilers/architectures.

*Proof...

Full Disclosure

FFmpeg 7.0+ Integer Overflow in FFmpeg yuvcmp Tool Leads to Out-of-Bounds Allocation

Posted by Ron E on Sep 08

The FFmpeg tools/yuvcmp utility is vulnerable to an integer overflow when
large width and height parameters are supplied. The overflow occurs during
buffer size calculations (width * height) leading to incorrect allocation
sizes and subsequent memory corruption. An attacker controlling input
dimensions can trigger large or invalid memory allocations, leading to
denial of service (DoS), memory exhaustion, or potential heap corruption.
(FFmpeg...

Full Disclosure

FFmpeg 7.0+ Heap Use-After-Free in FFmpeg HLS Demuxer (libavformat/utils.c)

Posted by Ron E on Sep 08

Malformed .m3u8 playlists can trigger a heap use-after-free when the HLS
demuxer handles segment references. ASan reports access to freed memory
inside libavformat/utils.c:528. A crafted .m3u8 could allow remote
attackers to achieve denial of service (DoS), information disclosure, or
potentially remote code execution depending on heap state. (FFmpeg 7.0-8.0)

*Impact:*

-

Remote attackers can crash the transcoder with a malicious playlist....

Full Disclosure

DjVuLibre 3.5.29 ZPCodec Unsigned Integer Overflow in Arithmetic Encoding

Posted by Ron E on Sep 08

The DjVuLibre document compression library (tested version 3.5.29) contains
multiple instances of unsigned integer overflow in the ZPCodec.cpp
component. During arithmetic encoding operations (e.g., zemit, encode_lps,
encode_lps_simple, eflush), crafted input can cause arithmetic wraparound
(0-1, 1-2, or value+UINT_MAX). These operations rely on precise probability
modeling for entropy encoding, and wraparound corrupts encoder state. An
attacker...

Full Disclosure

DjVuLibre 3.5.29 IW44EncodeCodec Integer Overflow (Negative Left Shift in IW44Image::Map::Encode)

Posted by Ron E on Sep 08

The DjVuLibre document compression library (tested version 3.5.29) is
vulnerable to an integer overflow caused by a left shift of a negative
signed integer in the IW44EncodeCodec.cpp component. When processing
crafted PPM input passed through the c44 utility, negative pixel values are
left-shifted in functions such as filter_fh, filter_fv, and
IW44Image::Map::Encode::create. This results in undefined behavior and
corrupted intermediate state...

Full Disclosure

libheif v1.21.0 Integer Overflow in Y4M Loader leading to Uncontrolled Memory Allocation

Posted by Ron E on Sep 08

An integer overflow vulnerability exists in the Y4M input loader (loadY4M
in decoder_y4m.cc) of libheif. The loader fails to properly validate the
width and height values declared in the Y4M file header. Supplying a
crafted .y4m file with extremely large dimensions (e.g., W2147483647
H2147483647) causes integer overflow during buffer size calculations. This
results in uncontrolled memory allocation requests that exceed supported
limits. Depending...

Full Disclosure

libheif v1.21.0 Null Pointer Dereference in std::vector<unsigned>::empty

Posted by Ron E on Sep 08

During construction of a Track_Visual object, corrupted sequence metadata
can leave a std::vector<unsigned> uninitialized. When .empty() is called,
it attempts to dereference a null object.

*Root Cause:*

-

Missing input validation when constructing vectors from parsed boxes.

*Impact:*

-

Application crash (DoS).
-

Not exploitable for code execution.

*Evidence:*

==1174955==ERROR: AddressSanitizer: SEGV in...

Full Disclosure

libheif v1.21.0 Null Pointer Dereference in Box_hdlr::get_handler_type

Posted by Ron E on Sep 08

Box_hdlr::get_handler_type() (libheif/box.h:487) is called even when the
hdlr box has not been properly initialized due to malformed input. This
leads to dereferencing a null object pointer.

*Root Cause:*

-

No validation of hdlr box presence before accessing handler fields.

*Impact:*

-

Application crash only (DoS).
-

No memory corruption or exploitability.

*Evidence:*==2436988==ERROR: AddressSanitizer: SEGV on unknown...

Full Disclosure

libheif v1.21.0 Out-of-Bounds Read in FullBox::get_flags

Posted by Ron E on Sep 08

The FullBox::get_flags() method retrieves 24-bit flags from the underlying
box header. When a malformed box truncates the field, the function still
attempts to read three bytes. With insufficient data, this reads past valid
memory into uninitialized or out-of-bounds memory.

*Root Cause:*

-

No length validation before reading flag fields.

*Impact:*

-

Crash due to invalid memory access.
-

Potential leakage of heap memory...

Full Disclosure

libheif v1.21.0 Out-of-Bounds Read in Box_stts::get_sample_duration

Posted by Ron E on Sep 08

The Box_stts structure defines decoding time to sample mapping. In
Box_stts::get_sample_duration(unsigned), the requested index is assumed
valid. A crafted file can set entry_count inconsistently with the actual
buffer size, leading to access beyond the bounds of the parsed vector.

*Root Cause:*

-

Lack of bounds checks on entry_count and indexing operations.
-

Blind trust in stts box metadata.

*Impact:*

-

Invalid memory...

Full Disclosure

libheif 1.21.0 Use-After-Free / Dangling shared_ptr in Track Chunk Handling

Posted by Ron E on Sep 08

The Track::init_sample_timing_table logic manages a
std::vector<std::shared_ptr<Chunk>> representing parsed sequence chunks.
With malformed HEIF sequence files, corrupted chunk tables may cause
premature destruction of Chunk objects while references remain in the
vector. Later accesses via std::__shared_ptr<Chunk>::get() return a
dangling pointer.

ASan reports these as heap-buffer-overflows because the stale pointer still...

Full Disclosure

libheif v1.21.0 Heap Buffer Overflow in Chunk::Chunk

Posted by Ron E on Sep 08

The vulnerability resides in the constructor Chunk::Chunk (
libheif/sequences/chunk.cc:89). When parsing the Sample Size Box (stsz) of
a HEIF sequence track, the code allocates a std::vector<unsigned int> and
then appends entries for each sample size. The count used for allocation
and iteration is taken directly from the bitstream (Box_stsz::parse)
without verifying consistency between declared count and available data.

When the stsz box...

Full Disclosure

CVE-2024-45438 - SpamTitan Unauthenticated User Creation

Posted by Seralys Research Team via Fulldisclosure on Sep 08

Seralys Security Advisory | https://www.seralys.com/research

======================================================================
Title: Unauthenticated User Creation
Product: SpamTitan Email Security Gateway
Affected: Confirmed on 8.00.95
Fixed in: 8.00.101 and 8.01.14
Vendor: TitanHQ
Discovered: May 2024
Severity: HIGH
CWE: CWE-306: Missing Authentication for Critical Function
CVE:...

Full Disclosure

APPLE-SA-08-20-2025-5 macOS Ventura 13.7.8

Posted by Apple Product Security via Fulldisclosure on Sep 08

APPLE-SA-08-20-2025-5 macOS Ventura 13.7.8

macOS Ventura 13.7.8 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124929.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

ImageIO
Available for: macOS Ventura
Impact: Processing a malicious image file may result in memory
corruption. Apple...

Full Disclosure

APPLE-SA-08-20-2025-4 macOS Sonoma 14.7.8

Posted by Apple Product Security via Fulldisclosure on Sep 08

APPLE-SA-08-20-2025-4 macOS Sonoma 14.7.8

macOS Sonoma 14.7.8 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124928.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

ImageIO
Available for: macOS Sonoma
Impact: Processing a malicious image file may result in memory
corruption. Apple is...

Full Disclosure

APPLE-SA-08-20-2025-3 macOS Sequoia 15.6.1

Posted by Apple Product Security via Fulldisclosure on Sep 08

APPLE-SA-08-20-2025-3 macOS Sequoia 15.6.1

macOS Sequoia 15.6.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124927.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

ImageIO
Available for: macOS Sequoia
Impact: Processing a malicious image file may result in memory
corruption. Apple...

Full Disclosure

APPLE-SA-08-20-2025-2 iPadOS 17.7.10

Posted by Apple Product Security via Fulldisclosure on Sep 08

APPLE-SA-08-20-2025-2 iPadOS 17.7.10

iPadOS 17.7.10 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124926.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

ImageIO
Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch,
and iPad 6th generation
Impact: Processing a...

Full Disclosure

Asterisk Security Release 20.15.2

Posted by Asterisk Development Team via Fulldisclosure on Sep 08

The Asterisk Development Team would like to announce security release
Asterisk 20.15.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.15.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.15.2

## Change Log for Release asterisk-20.15.2

### Links:

- [Full ChangeLog](...

Full Disclosure

Asterisk Security Release 21.10.2

Posted by Asterisk Development Team via Fulldisclosure on Sep 08

The Asterisk Development Team would like to announce security release
Asterisk 21.10.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.10.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.10.2

## Change Log for Release asterisk-21.10.2

### Links:

- [Full ChangeLog](...

Full Disclosure

Asterisk Security Release 18.26.4

Posted by Asterisk Development Team via Fulldisclosure on Sep 08

The Asterisk Development Team would like to announce security release
Asterisk 18.26.4.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.26.4
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 18.26.4

## Change Log for Release asterisk-18.26.4

### Links:

- [Full ChangeLog](...

Full Disclosure

Apple’s A17 Pro Chip: Critical Flaw Causes Dual Subsystem Failure & Forensic Log Loss

Posted by Joseph Goydish II via Fulldisclosure on Sep 08

TITLE:
APPLE'S A17 PRO SILICON FLAW: SHARED I²C4 BUS BETWEEN SECURE ENCLAVE AND DIGITIZER CAUSES CASCADING SYSTEM FAILURE

SUMMARY:
This report discloses a CRITICAL HARDWARE FLAW in Apple’s A17 Pro chip (D84AP), affecting retail iPhone 15 Pro Max
devices. The flaw results from a SHARED I²C4 BUS used by TWO CRITICAL SUBSYSTEMS:

- THE SECURE ENCLAVE PROCESSOR (SPU) – responsible for cryptographic operations and secure boot
- THE...

Full Disclosure

Multi-Protocol Traceroute

Posted by Usman Saeed via Fulldisclosure on Aug 18

#!/usr/bin/env python3
"""
Adaptive Multi-Protocol Traceroute

Author: Usman Saeed
email: u () defzero net<mailto:u () defzero net>
Website: www.defzero.net<http://www.defzero.net>

Description:
This script is a TTL-based path mapper that reveals routes even when classic traceroute is
filtered. The idea was that it would run in passes: first a conventional trace (ICMP Echo and
rotating TCP SYN ports) to capture the...

Full Disclosure

SEC Consult SA-20250728-0 :: Stored Cross-Site-Scripting in Optimizely Episerver CMS

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Aug 18

Confidentiality class: Internal & Partner

SEC Consult Vulnerability Lab Security Advisory < publishing date 20250728-0 >
=======================================================================
title: Multiple Stored Cross-Site Scripting Vulnerabilities
product: Optimizely Episerver Content Management System (EPiServer.CMS.Core)
vulnerable version: Version 11.X: <11.21.4
Version 12.X:...

Full Disclosure

SEC Consult SA-20250807-0 :: Race Condition in Shopware Voucher Submission

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Aug 18

Confidentiality class: Internal & Partner

SEC Consult Vulnerability Lab Security Advisory < publishing date 20250807-0 >
=======================================================================
title: Race Condition in Shopware Voucher Submission
product: Shopware 6
vulnerable version: v6.6.10.4
fixed version: No fixed version available yet
CVE number: CVE-2025-7954
impact: medium...

Full Disclosure

Insufficient Resource Allocation Limits in nopCommerce v4.10 and v4.80.3 Excel Import Functionality

Posted by Ron E on Aug 18

nopCommerce is vulnerable to Insufficient Resource Allocation Limits when
handling large Excel file imports. Although the application provides a
warning message recommending that users avoid importing more than 500–1,000
records at once due to memory constraints, the system does not enforce hard
limits on file size, record count, or concurrent imports.

An attacker can exploit this by uploading excessively large Excel files or
automating...

Full Disclosure

CSV Injection in nopcommerce v4.10 and 4.80.3

Posted by Ron E on Aug 18

nopCommerce versions v4.10 and v4.80.3 are vulnerable to *C*SV Injection
(Formula Injection) when exporting data to CSV. The application does not
properly sanitize user-supplied input before including it in CSV export
files.

An attacker can inject malicious spreadsheet formulas into fields that will
later be exported (for example, order details, product names, or customer
information). When the exported file is opened in spreadsheet software...

Full Disclosure

Insufficient Session Cookie Invalidation in nopCommerce v4.10 and 4.80.3

Posted by Ron E on Aug 18

nopCommerce v4.10 and 4.80.3 is vulnerable to Insufficient Invalidation of
Session Cookies. The application does not properly invalidate or expire
authentication cookies after logout or session termination.

An attacker who obtains a valid session cookie (e.g., via network
interception, XSS, or system compromise) can continue to use the cookie to
access privileged endpoints (such as /Admin) even after the legitimate user
has logged out. This flaw...

Full Disclosure

Session Fixation Vulnerability in iDempiere WebUI v 12.0.0.202508171158

Posted by Ron E on Aug 18

The application does not issue a new session identifier (JSESSIONID) after
successful authentication. An attacker who can set or predict a victim’s
session ID prior to login may hijack the victim’s authenticated session
once they log in, resulting in full account takeover.

POST /webui HTTP/2

Host: <host>

Cookie: JSESSIONID=node01***.node0;

Full Disclosure

CSV Injection in iDempiere WebUI 12.0.0.202508171158

Posted by Ron E on Aug 18

A CSV Injection vulnerability exists in iDempiere WebUI
v12.0.0.202508171158. The application fails to properly sanitize
user-supplied input before including it in exported CSV files. An
authenticated attacker can inject malicious spreadsheet formulas
(e.g., =cmd|'/C
notepad'!A1) into fields that are later exported. When the CSV is opened in
spreadsheet software such as Microsoft Excel or LibreOffice Calc, the
injected formula is...

Full Disclosure

liblcf v0.8.1 liblcf/lcf2xml: Untrusted LCF data triggers uncaught std::length_error via negative vector resize (DoS)

Posted by Ron E on Aug 18

lcf2xml (part of liblcf) aborts when parsing specially crafted RPG Maker
2000/2003 files that supply a negative element count for vectors of
structured records. The generic reader:

template <class S>

void Struct<S>::ReadLcf(std::vector<S>& vec, LcfReader& stream) {

int count = stream.ReadInt();

vec.resize(count); // <— negative -> huge size_t -> throws
length_error

for (int i = 0; i...

Full Disclosure

liblcf v0.8.1 Integer Overflow in liblcf `ReadInt()` Leads to Out-of-Bounds Reads and Denial of Service

Posted by Ron E on Aug 18

A crafted RPG Maker save file (`.lsd`) can trigger an integer overflow in
liblcf’s lcfstrings compressed integer decoding logic
(`LcfReader::ReadInt()`), resulting in an unbounded shift and accumulation
loop. The overflowed value is later used in buffer size allocations and
structure parsing, causing large memory access requests and parsing errors.

*Steps to Reproduce*

1. Use the attached `.lsd` file (see PoC section).

2. Run: `./lcfstrings...

Full Disclosure

Piciorgros TMO-100: Unauthorized configuration change via TFTP (CVE-2025-29617)

Posted by Georg Lukas on Aug 18

<PDF advisory:
https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_TFTP_en.pdf >

Classification
--------------

- CWE-306: Missing Authentication for Critical Function

- CWE-940: Improper Verification of Source of a Communication Channel

- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

- CVSS 4.0 Score: 8.4 / High
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:N/SA:H

- CVSS 3.1 Score: 8.3...

Full Disclosure

Piciorgros TMO-100: Unauthorized log data access

Posted by Georg Lukas on Aug 18

PDF advisory: https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_IP-Logger_en.pdf

Classification
--------------

- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

- CVSS 4.0 Score: 5.3 / Medium
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

- CVSS 3.1 Score: 4.3 / Medium
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected systems
----------------

- Piciorgros TMO-100 V3/V4 with software version...

Full Disclosure

[tool] CRSprober

Posted by Jozef Sudolsky on Aug 18

Dear community,

I’d like to share a small tool I’ve recently released - CRSprober.

This utility is designed to remotely detect the version of the OWASP
CRS as well as the configured paranoia level on a target protected by
ModSecurity + CRS.

It works by sending specific payloads and analyzing the WAF's
responses to determine this information. This can be useful for
testing, research, or verification purposes, especially when...

Full Disclosure

iOS 18.6 - Undocumented TCC Access to Multiple Privacy Domains via preflight=yes

Posted by josephgoyd via Fulldisclosure on Aug 18

TITLE: Undocumented TCC Access to Multiple Privacy Domains via 'preflight=yes' in iOS 18.6
AUTHOR: Joseph Goydish II
DISCOVERY DATE: 2025-08-13
DEVICE: iPhone 14 Pro Max
OS VERSION: iOS 18.6 (non-jailbroken, stock)
SEVERITY: High
ACCESS: USB debugging or local log access
IMPACT: Silent, undocumented system access to sensitive user data across multiple TCC domains...

Full Disclosure

Kigen eUICC issue (custom backdoor vs. FW update bug)

Posted by Security Explorations on Aug 12

Dear All,

On Jul 28, 2025 we provided Kigen with a report describing new security
issue potentially affecting company's eUICC cards. We did it regardless
of Kigen refusal to provide us with patches / patching instructions, so
that we could verify the content / quality of the fixes released by the
company for previously reported JavaCard issues [1] (more on that and
patching formula proposed by the company can be found on eSIM project...

Full Disclosure

PlayReady Activation protocol issues (weak auth / fake client identities)

Posted by Security Explorations on Aug 12

Dear All,

PlayReady Communication Protocols [1] include services for PlayReady
clients (such as Secure Clock), device owner's services (Activation /
Provisioning) and content service (License Server).

Back in 2022, we reported to Microsoft an issue pertaining to no auth at
PlayReady license server end, which was evaluated by Microsoft as no bug.

There is yet another auth issue, which builds on the above and affects
PlayReady Activation...

Full Disclosure

Defense in depth -- the Microsoft way (part 91): yet another 30 year old bug of the "Properties" shell extension

Posted by Stefan Kanthak via Fulldisclosure on Aug 04

Hi @ll,

this extends the previous post titled Defense in depth -- the
Microsoft way (part 90): "Digital Signature" property sheet
missing without "Read Extended Attributes" access permission
<https://seclists.org/fulldisclosure/2025/Jul/39>, to document
another facette of this 30 year old bug in the "Properties" shell
extension.

About 35 years ago Microsoft began to implement their "New Technology
File...

Full Disclosure

Rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration (CVSS v4.0 Score: 9.3 / Critical)

Posted by Sandro Gauci via Fulldisclosure on Aug 02

Rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration (CVSS v4.0 Score: 9.3 / Critical)

- CVSS v4.0
- Exploitability: High
- Complexity: Low
- Vulnerable system: Medium
- Subsequent system: Medium
- Exploitation: High
- Security requirements: High
- Vector: https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H
- Other references:...

Full Disclosure

APPLE-SA-07-30-2025-1 Safari 18.6

Posted by Apple Product Security via Fulldisclosure on Aug 02

APPLE-SA-07-30-2025-1 Safari 18.6

Safari 18.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124152.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

libxml2
Available for: macOS Ventura and macOS Sonoma
Impact: Processing a file may lead to memory corruption
Description: This is a...

Full Disclosure

Defense in depth -- the Microsoft way (part 90): "Digital Signature" property sheet missing without "Read Extended Attributes" access permission

Posted by Stefan Kanthak via Fulldisclosure on Jul 29

Hi @ll,

about 35 years ago Microsoft began to implement their "New Technology
File System" (NTFS) for their upcoming Windows NT operating system.
NTFS supports the extended attributes of the HPFS file system which
Microsoft and IBM had developed for their OS/2 operating system before.
NTFS' initial version, released with Windows NT 3.1 in 1993, had no
access control; this was added for Windows NT 3.5, released one year
later, with...

Full Disclosure

St. Pölten UAS 20250721-0 | Multiple Vulnerabilities in Helmholz Industrial Router REX100 / mbNET.mini

Posted by Thomas Weber | CyberDanube via Fulldisclosure on Jul 29

St. Pölten UAS 20250721-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities in REX100
product| Helmholz Industrial Router REX100 / mbNET.mini
vulnerable version| < 2.3.3
fixed version| 2.3.3
CVE number| CVE-2025-41673, CVE-2025-41674, CVE-2025-41675,
| CVE-2025-41676, CVE-2025-41677, CVE-2025-41678,...

Full Disclosure

APPLE-SA-07-29-2025-8 visionOS 2.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-8 visionOS 2.6

visionOS 2.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124154.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

afclip
Available for: Apple Vision Pro
Impact: Parsing a file may lead to an unexpected app termination
Description: The issue was...

Full Disclosure

APPLE-SA-07-29-2025-7 tvOS 18.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-7 tvOS 18.6

tvOS 18.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124153.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

afclip
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Parsing a file may lead to an unexpected app termination
Description:...

Full Disclosure

APPLE-SA-07-29-2025-6 watchOS 11.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-6 watchOS 11.6

watchOS 11.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124155.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

afclip
Available for: Apple Watch Series 6 and later
Impact: Parsing a file may lead to an unexpected app termination
Description: The...

Full Disclosure

APPLE-SA-07-29-2025-5 macOS Ventura 13.7.7

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-5 macOS Ventura 13.7.7

macOS Ventura 13.7.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124151.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Ventura
Impact: An app may be able to cause a denial-of-service
Description: A...

Full Disclosure

APPLE-SA-07-29-2025-4 macOS Sonoma 14.7.7

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-4 macOS Sonoma 14.7.7

macOS Sonoma 14.7.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124150.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Sonoma
Impact: An app may be able to cause a denial-of-service
Description: A path...

Full Disclosure

APPLE-SA-07-29-2025-3 macOS Sequoia 15.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-3 macOS Sequoia 15.6

macOS Sequoia 15.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124149.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Admin Framework
Available for: macOS Sequoia
Impact: An app may be able to cause a denial-of-service
Description: A path...

Full Disclosure

APPLE-SA-07-29-2025-2 iPadOS 17.7.9

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-2 iPadOS 17.7.9

iPadOS 17.7.9 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124148.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch,
and iPad 6th generation
Impact: Privacy...

Full Disclosure

APPLE-SA-07-29-2025-1 iOS 18.6 and iPadOS 18.6

Posted by Apple Product Security via Fulldisclosure on Jul 29

APPLE-SA-07-29-2025-1 iOS 18.6 and iPadOS 18.6

iOS 18.6 and iPadOS 18.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/124147.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and...

Full Disclosure

Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability

Posted by Egidio Romano on Jul 29

----------------------------------------------------------------------------
Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability
----------------------------------------------------------------------------

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

Certain 4.x versions before 4.7.21.

[-] Vulnerability Description:

The vulnerability is located within the...