Overview A Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-62687, has been discovered in LogStare Collector. This vulnerability allows an attacker to potentially execute unintended actions on behalf of a logged-in user, simply by tricking them into visiting a malicious webpage. This article provides a detailed overview of the vulnerability, its potential impact, and the necessary steps to mitigate the risk. Technical Details CVE-2025-62687 exists because LogStare Collector does not properly validate the origin of requests, making it susceptible to CSRF attacks. An attacker can craft a malicious HTML page containing a request that, when visited by an authenticated LogStare…

Overview CVE-2025-62189 is an incorrect authorization vulnerability discovered in LogStare Collector. This flaw allows a non-administrative user to create new user accounts by sending a specially crafted HTTP request. Successfully exploiting this vulnerability could lead to unauthorized access, privilege escalation, and potential compromise of the LogStare Collector system. Technical Details The vulnerability resides within the UserRegistration functionality of LogStare Collector. The application fails to properly validate the user’s authorization level before processing the user creation request. By crafting a malicious HTTP request containing the necessary parameters to create a new user, an attacker with a basic user account can bypass…

Overview A stored cross-site scripting (XSS) vulnerability has been discovered in LogStare Collector, identified as CVE-2025-61949. This vulnerability resides in the UserManagement functionality. If maliciously crafted user information is stored within LogStare Collector, an attacker can execute arbitrary scripts on the web browser of any user who logs into the product’s management page. This can lead to account compromise, data theft, or other malicious activities. Technical Details The vulnerability stems from insufficient input sanitization when processing user-provided data within the UserManagement section of LogStare Collector. Specifically, fields such as username, display name, or other user profile information are not properly…

Overview A critical vulnerability, identified as CVE-2025-58097, has been discovered in LogStare Collector. This vulnerability arises from incorrect access permissions configured for the installation directory of LogStare Collector. This flaw allows a non-administrative user to manipulate files within the directory, potentially leading to arbitrary code execution with administrative privileges. This represents a significant security risk for organizations utilizing LogStare Collector. Technical Details CVE-2025-58097 stems from insecure default permissions set on the LogStare Collector installation directory. Specifically, a standard (non-administrator) user has write access to files and subdirectories within the installation path. By exploiting this write access, a malicious user can…

Overview CVE-2025-9825 is a medium-severity security vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows authenticated users, *without* project membership, to potentially view sensitive manual CI/CD variables. The vulnerability stems from an issue in the GraphQL API that could be exploited to bypass access controls. This impacts all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2. GitLab has addressed this vulnerability in versions 18.3.4 and 18.4.2. Updating your GitLab instance is crucial to mitigate the risk. Technical Details The vulnerability resides within GitLab’s GraphQL API. An improperly implemented authorization check allowed authenticated…

A high-severity vulnerability has been discovered in Wireshark’s Kafka dissector, potentially leading to a denial-of-service (DoS) condition. Tracked as CVE-2025-13499, this flaw affects Wireshark versions 4.6.0 and 4.4.0 through 4.4.10. This article provides a comprehensive overview of the vulnerability, its potential impact, and steps you can take to mitigate the risk. Overview CVE-2025-13499 describes a crash within the Kafka dissector of Wireshark. This vulnerability can be triggered when Wireshark attempts to analyze a malformed or specially crafted Kafka packet. Exploiting this flaw could lead to the Wireshark application crashing, effectively causing a denial of service for anyone relying on it…

Overview CVE-2025-12169 identifies a medium-severity vulnerability found in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access or higher to clear the scheduled triggers option, leading to unauthorized modification of data. The affected versions are up to and including version 3.3.0. Technical Details The vulnerability stems from a missing capability check on the wp_ajax_eh_crm_settings_empty_scheduled_actions AJAX Action. This means that any authenticated user, regardless of their role (Subscriber or higher), can trigger this AJAX action without proper authorization. The absence of this check enables malicious actors to inadvertently or intentionally disrupt…

Overview CVE-2025-12085 identifies a medium-severity vulnerability in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. This flaw allows authenticated attackers with Subscriber-level access or higher to unauthorizedly empty the ticket trash. The vulnerability stems from a missing capability check within the eh_crm_settings_empty_trash function. This means even users with limited privileges can potentially delete important ticket data, leading to data loss and disruption of customer support operations. All versions up to and including 3.3.1 are affected. Technical Details The vulnerability resides in the eh_crm_settings_empty_trash function within the ELEX HelpDesk plugin. This function is responsible for emptying the ticket…

Overview CVE-2025-12023 is a medium-severity vulnerability affecting the ELEX WordPress HelpDesk & Customer Ticketing System plugin. This vulnerability allows authenticated attackers with Subscriber-level access or higher to restore tickets without proper authorization. This can lead to unauthorized access to sensitive information and potential manipulation of customer support data. Technical Details The vulnerability exists due to a missing capability check on the eh_crm_restore_data() function within the plugin. Specifically, the code in includes/class-crm-ajax-functions.php does not verify if the user has the necessary permissions to restore tickets before executing the function. As a result, any authenticated user, even with the basic Subscriber role,…

Overview CVE-2025-12022 is a medium-severity security vulnerability affecting the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. Specifically, it allows authenticated attackers with Subscriber-level access (or higher) to restore all deleted tickets. This is due to a missing capability check on the eh_crm_settings_restore_trash AJAX endpoint. This vulnerability exists in all versions of the plugin up to and including version 3.3.1. Technical Details The vulnerability lies in the lack of proper authorization checks before allowing users to trigger the ticket restoration functionality. The eh_crm_settings_restore_trash AJAX endpoint, responsible for restoring tickets from the trash, fails to verify if the requesting…