Overview CVE-2024-8527 details an open redirect vulnerability found within the URL parameter of Automated Logic WebCTRL and Carrier i-Vu systems. This vulnerability affects versions 6.0, 6.5, 7.0, 8.0, 8.5, and 9.0. An attacker could potentially exploit this flaw to redirect users to malicious websites, potentially compromising user sessions and leading to phishing attacks. Technical Details The vulnerability lies in the insufficient validation of the URL parameter within the affected Automated Logic WebCTRL and Carrier i-Vu applications. An attacker can craft a malicious URL containing a redirect to an external, attacker-controlled domain. When a user clicks on this manipulated link, they…

Overview CVE-2025-12592 highlights a critical security vulnerability affecting legacy Vivotek device firmware. The core issue lies in the use of default credentials for both the root and user login accounts within these devices. This oversight allows unauthorized users to potentially gain complete control over the affected Vivotek devices, leading to various security risks. Technical Details The vulnerability stems from the factory-default configuration of legacy Vivotek firmware. These devices ship with pre-configured usernames and passwords (e.g., “root” and “admin” with common passwords) that are often not changed by users during the initial setup. This lack of password customization provides a straightforward…

Overview A critical SQL Injection vulnerability, identified as CVE-2025-10437, has been discovered in the Eksagate Electronic Engineering and Computer Industry Trade Inc. Webpack Management System. This vulnerability allows an attacker to potentially execute arbitrary SQL commands, leading to unauthorized data access, modification, or deletion. This issue affects Webpack Management System versions up to and including 20251119. Immediate action is recommended to mitigate this severe risk. Technical Details The vulnerability stems from improper neutralization of special elements used within an SQL command. Specifically, user-supplied input is not adequately sanitized before being incorporated into an SQL query. An attacker can exploit this…

Overview A critical security vulnerability, identified as CVE-2025-13395, has been discovered in codehub666 94list. This flaw, affecting versions up to commit 5831c8240e99a72b7d3508c79ef46ae4b96befe8, is a remotely exploitable SQL injection vulnerability located within the Login function of the /function.php file. The exploit is publicly available, increasing the urgency of mitigation. Technical Details The vulnerability resides in the Login function within /function.php. Improper sanitization of user-supplied input during the login process allows attackers to inject arbitrary SQL commands. This could allow unauthorized access to the database, potentially leading to data breaches, modification of data, or complete system compromise. The vulnerable component is: /function.php:Login…

Overview A critical security vulnerability, identified as CVE-2025-12472, has been discovered in Looker, affecting both Looker-hosted and self-hosted instances. This vulnerability allows an attacker with a Looker Developer role to manipulate a LookML project and exploit a race condition during Git directory deletion. Successful exploitation can lead to arbitrary command execution on the Looker instance. The good news is that Looker-hosted instances have already been mitigated, requiring no user action. However, self-hosted instances are vulnerable and require immediate action. Technical Details CVE-2025-12472 stems from a race condition that can occur during the deletion of Git directories within a LookML project.…

Overview CVE-2025-58412 is a medium severity Cross-Site Scripting (XSS) vulnerability affecting Fortinet FortiADC. Specifically, it involves an improper neutralization of script-related HTML tags in a web page, potentially allowing attackers to execute unauthorized code or commands via crafted URLs. This vulnerability highlights the importance of proper input validation and output encoding in web applications to prevent malicious code injection. It impacts several versions of FortiADC, including 8.0.0, 7.6.0 through 7.6.3, 7.4 (all versions), and 7.2 (all versions). Technical Details The vulnerability lies in the way FortiADC handles specific HTML tags within user-supplied input (likely via URL parameters). An attacker can…

Overview A high-severity denial-of-service (DoS) vulnerability, identified as CVE-2025-11230, has been discovered in the mjson library used by HAProxy. This flaw allows remote attackers to trigger a DoS condition by sending specially crafted JSON requests to a vulnerable HAProxy instance. The vulnerability arises from inefficient algorithm complexity within the mjson library, leading to excessive resource consumption when processing malicious JSON data. Technical Details The core of the vulnerability lies in how the mjson library parses and processes complex JSON structures. Specifically, a specially crafted JSON request with deeply nested or highly redundant elements can cause the parsing algorithm to exhibit…

Overview CVE-2025-11446 is a vulnerability affecting upKeeper Solutions upKeeper Manager, specifically versions 5.2.0 up to, but not including, 5.2.12. This vulnerability involves the insertion of sensitive information, namely domain credentials, into log files. This could potentially lead to unauthorized access and compromise of the affected system and network. Technical Details The vulnerability occurs because upKeeper Manager inadvertently logs domain credentials during certain operations. This sensitive data is then stored in a plain-text format within the log files, making it accessible to anyone with access to those logs. An attacker could potentially leverage these exposed credentials to gain unauthorized access to…

Overview A high-severity Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-13206, has been discovered in the GiveWP – Donation Plugin and Fundraising Platform for WordPress. This vulnerability affects all versions up to, and including, 4.13.0. Due to insufficient input sanitization and output escaping of the ‘name’ parameter, an unauthenticated attacker can inject arbitrary web scripts into pages within your WordPress site. When a user accesses a page containing the injected script, the script will execute, potentially leading to account compromise, data theft, or other malicious activities. Crucially, this vulnerability requires that avatars are enabled in your WordPress installation to be…