Overview CVE-2025-31361 is a high-severity privilege escalation vulnerability affecting Dell ControlVault3 and ControlVault3 Plus. This vulnerability exists within the WBDI Driver’s WBIO_USH_ADD_RECORD functionality and can be exploited by a local attacker to gain elevated privileges on a vulnerable system. Technical Details The vulnerability resides in the way the Dell ControlVault driver handles the WBIO_USH_ADD_RECORD functionality within the Windows Biometric Framework. Specifically, a specially crafted WinBioControlUnit call can be used to trigger the vulnerability. Prior to versions 5.15.14.19 (ControlVault3) and 6.2.36.47 (ControlVault3 Plus), insufficient validation of input parameters within the WBIO_USH_ADD_RECORD function allows an attacker to manipulate the system state and…

Overview A high-severity buffer overflow vulnerability, identified as CVE-2025-13305, has been discovered in several D-Link router models. This flaw affects D-Link DWR-M920, DWR-M921, DWR-M960, DIR-822K, and DIR-825M devices running firmware version 1.01.07. The vulnerability allows a remote attacker to potentially execute arbitrary code on the affected device. This article provides a detailed analysis of CVE-2025-13305, including technical specifics, potential impact, and recommended mitigation strategies. Technical Details The vulnerability resides within the handling of the host argument in the /boafrm/formTracerouteDiagnosticRun file. Improper input validation allows an attacker to inject an overly long string into the host parameter, leading to a buffer…

Overview A high-severity buffer overflow vulnerability, identified as CVE-2025-13304, has been discovered in several D-Link router models. This flaw could allow remote attackers to execute arbitrary code on affected devices. The vulnerability affects specific versions of D-Link DWR-M920, DWR-M921, DWR-M960, DWR-M961 and DIR-825M routers. Due to the public availability of exploit code, immediate action is recommended to mitigate potential risks. Technical Details The vulnerability resides within the `/boafrm/formPingDiagnosticRun` file of the affected D-Link router firmware. Specifically, it stems from insufficient validation of the `host` argument used in the Ping Diagnostic functionality. By manipulating this argument with an overly long string,…

Overview CVE-2025-13224 is a high-severity vulnerability affecting Google Chrome’s V8 JavaScript engine. This vulnerability, identified as a type confusion issue, could allow a remote attacker to potentially exploit heap corruption through a specially crafted HTML page. The vulnerability was patched in Chrome version 142.0.7444.175. Technical Details The vulnerability stems from a type confusion error within the V8 JavaScript engine. This occurs when the engine incorrectly infers the type of an object, leading to incorrect memory access and potential heap corruption. An attacker can leverage this by crafting a malicious HTML page that triggers the type confusion error during JavaScript execution.…

Overview CVE-2025-13223 is a high-severity vulnerability affecting Google Chrome’s V8 JavaScript engine. Discovered and patched in version 142.0.7444.175, this type confusion flaw could allow a remote attacker to potentially trigger heap corruption by crafting a malicious HTML page. Successful exploitation could lead to arbitrary code execution or denial-of-service. Technical Details The vulnerability stems from a type confusion error within the V8 JavaScript engine. Type confusion occurs when the engine misinterprets the type of data being processed. In the context of CVE-2025-13223, this allows an attacker to manipulate the memory layout and potentially corrupt the heap. A specially crafted HTML page…

Overview CVE-2025-64766 is a medium severity security vulnerability affecting the OnlyOffice document server when deployed on NixOS. This vulnerability stems from the use of a hard-coded secret in the NixOS module used to protect the file cache of OnlyOffice. This hardcoded secret could potentially allow an attacker with knowledge of a revision ID to access documents, even after a user’s access has expired. The issue has been resolved in NixOS unstable version 25.11 and version 25.05. Technical Details The NixOS module for OnlyOffice’s document server employs a secret key to secure its file cache. Versions 22.11 to before 25.05, and…

Overview CVE-2025-13303 is a medium-severity SQL injection vulnerability affecting Courier Management System version 1.0. This vulnerability allows a remote attacker to inject malicious SQL code through the “Consignment” argument in the /search-edit.php file. Successful exploitation of this vulnerability could allow an attacker to read, modify, or delete sensitive data within the application’s database. This vulnerability has been publicly disclosed, and proof-of-concept (PoC) exploits are available, increasing the risk of exploitation. Technical Details The vulnerability resides within the /search-edit.php file of the Courier Management System 1.0. The application fails to properly sanitize user-supplied input passed through the “Consignment” parameter before using…

Overview CVE-2025-13302 identifies a SQL injection vulnerability within Courier Management System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL queries by manipulating the ManagerName argument in the /add-new-officer.php file. The public availability of an exploit makes this a significant security concern. Technical Details The vulnerability resides in the /add-new-officer.php script. Specifically, the code that handles the ManagerName parameter fails to properly sanitize user input before incorporating it into a SQL query. This lack of sanitization allows an attacker to inject malicious SQL code, potentially compromising the database and the entire application. Attackers can exploit this flaw…

Overview CVE-2025-36118 is a high-severity vulnerability affecting IBM Storage Virtualize versions 8.4, 8.5, 8.7, and 9.1. This flaw allows remote attackers to potentially obtain sensitive information from device memory through a specifically crafted Security Association (SA) negotiation request within the IKEv1 protocol. Successful exploitation of this vulnerability could expose sensitive data, impacting the confidentiality of the affected storage systems. Technical Details The vulnerability lies in the implementation of IKEv1 (Internet Key Exchange version 1) within IBM Storage Virtualize. The flaw is triggered during the Security Association (SA) negotiation process. A remote attacker can send a malicious SA negotiation request that,…

Overview CVE-2025-13301 identifies a high-severity SQL injection vulnerability found in itsourcecode Web-Based Internet Laboratory Management System version 1.0. This vulnerability allows a remote attacker to potentially execute arbitrary SQL commands on the underlying database, leading to data breaches, system compromise, and other malicious activities. The vulnerability resides within the /subject/controller.php file and affects an unspecified functionality. A proof-of-concept exploit is publicly available, increasing the urgency for administrators to apply the necessary mitigation steps. Technical Details The vulnerability exists due to improper sanitization of user-supplied input within the /subject/controller.php file. An attacker can inject malicious SQL code into parameters that are…