Overview CVE-2025-13397 identifies a security vulnerability affecting mrubyc versions up to 3.4. This vulnerability, classified as low severity, involves a null pointer dereference issue within the mrbc_raw_realloc function located in the src/alloc.c file. Successful exploitation requires local access. This article provides a comprehensive overview of the vulnerability, its potential impact, and steps to mitigate the risk. Technical Details The vulnerability stems from improper handling of the ptr argument within the mrbc_raw_realloc function. Malicious manipulation of this argument can lead to the function attempting to dereference a null pointer, resulting in a program crash or other unexpected behavior. The specific patch…
-
-
Overview CVE-2025-13396 is a medium-severity SQL injection vulnerability identified in code-projects Courier Management System version 1.0. This vulnerability allows a remote attacker to inject malicious SQL code through the OfficeName parameter in the /add-office.php file. Successful exploitation could lead to unauthorized data access, modification, or deletion within the application’s database. This vulnerability was published on 2025-11-19 and has a CVSS score of 6.3, indicating a moderate level of risk. The exploit is publicly available, increasing the likelihood of exploitation. Technical Details The vulnerability stems from improper sanitization of user-supplied input within the /add-office.php script. Specifically, the OfficeName parameter, intended to…
-
Overview A critical vulnerability, identified as CVE-2025-10703, has been discovered in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline. This vulnerability, classified as an Improper Control of Generation of Code (‘Code Injection’) flaw, allows for Remote Code Inclusion (RCI). Specifically, the vulnerability lies in how the SpyAttribute connection option is handled. Technical Details The SpyAttribute connection option within the DataDirect JDBC drivers allows users to specify a file path where the JDBC driver will write its log information. An attacker can exploit this by manipulating the log=(file) construct to inject malicious JavaScript…
-
Overview CVE-2025-10702 describes an “Improper Control of Generation of Code (‘Code Injection’)” vulnerability affecting Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver, and Hybrid Data Pipeline. This vulnerability allows for Remote Code Inclusion (RCI) if exploited successfully. The issue stems from an undocumented syntax construct within the `SpyAttribute` connection option. Technical Details The `SpyAttribute` connection option in the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver, and the DataDirect OpenAccess JDBC driver contains an undocumented syntax that an attacker could potentially leverage. If an application permits an end-user to specify a value for…
-
Overview A reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-63243, has been discovered in Pixeon WebLaudos 25.1 (01). This vulnerability resides within the password change functionality of the application and poses a significant risk to user security. Technical Details The vulnerability is located in the loginAlterarSenha.asp file, specifically within the handling of the sle_sSenha parameter. An attacker can craft a malicious URL containing JavaScript code within the sle_sSenha parameter. When a victim clicks on this crafted URL, the injected JavaScript code executes within their browser, in the security context of the Pixeon WebLaudos application. CVSS Analysis Currently, the CVSS score…
-
Overview A critical security vulnerability, identified as CVE-2025-63219, has been discovered in the ITEL ISO FM SFN Adapter. This vulnerability allows for session hijacking due to improper session management on the /home.html endpoint. Successful exploitation allows an attacker to gain complete control over the affected device. Technical Details The vulnerability resides in the ITEL ISO FM SFN Adapter, specifically affecting firmware version ISO2 2.0.0.0 and WebServer 2.0. The core issue is the lack of adequate session validation and management on the /home.html endpoint. This allows an unauthenticated attacker to potentially access and take over an active user session. By exploiting…
-
Overview A critical security vulnerability, identified as CVE-2025-63218, has been discovered in Axel Technology WOLF1MS and WOLF2MS devices. Specifically, firmware versions 0.8.5 through 1.0.3 are affected. This vulnerability is classified as Broken Access Control due to missing authentication on a specific endpoint, potentially allowing unauthenticated remote attackers to gain complete control of the device. Technical Details The root cause of CVE-2025-63218 lies in the lack of authentication required to access the /cgi-bin/gstFcgi.fcgi endpoint. This unprotected endpoint allows attackers to perform highly sensitive actions without proper authorization. Attackers can exploit this flaw to: List user accounts Create new administrative users Delete…
-
Overview CVE-2025-11963 describes a Reflected Cross-Site Scripting (XSS) vulnerability found in Saysis Computer Systems Trade Ltd. Co.’s StarCities application. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. It affects StarCities versions prior to 1.1.61. This article provides a detailed analysis of the vulnerability, its potential impact, and steps to mitigate the risk. Technical Details The vulnerability stems from the improper neutralization of user-supplied input during web page generation. Specifically, the StarCities application fails to adequately sanitize or encode user-provided data before reflecting it back to the user’s browser. An attacker can craft a…
-
Overview CVE-2025-0421 describes an Improper Restriction of Rendered UI Layers or Frames vulnerability found in Shopside Software Technologies Inc.’s Shopside e-commerce platform. Specifically, it allows for iFrame Overlay, potentially enabling attackers to inject malicious content or manipulate the user interface. This vulnerability affects Shopside versions up to and including 05022025. Technical Details The vulnerability lies in the insufficient restriction of how Shopside handles iFrames. An attacker could potentially inject a malicious iFrame that overlays legitimate UI elements within the Shopside application. This overlay could be used for various malicious purposes, such as: Clickjacking: Tricking users into clicking on hidden elements…
-
Overview CVE-2024-8528 details a reflected Cross-Site Scripting (XSS) vulnerability discovered in Automated Logic WebCTRL and Carrier i-VU systems. This vulnerability arises from the insufficient sanitization of a specific GET parameter, allowing attackers to inject and execute malicious JavaScript code within the context of a user’s browser. Successful exploitation can lead to session hijacking, credential theft, and defacement of the application. This vulnerability was published on 2025-11-19T14:15:57.780. Technical Details The reflected XSS vulnerability in Automated Logic WebCTRL and Carrier i-VU stems from a lack of proper input validation and sanitization on a specific GET parameter. By crafting a malicious URL containing…