Overview This article delves into CVE-2024-44662, a critical SQL Injection vulnerability discovered in PHPGurukul Online Shopping Portal version 2.0. This vulnerability specifically affects the admin login page, allowing attackers to potentially gain unauthorized access to sensitive data and control over the application. Technical Details CVE-2024-44662 stems from insufficient sanitization of the username parameter during the authentication process on the admin login page. An attacker can inject malicious SQL code into the username field. When the application executes this injected code against the database, it can lead to various security breaches. Successful exploitation allows attackers to bypass authentication, extract sensitive information…

Overview CVE-2024-44660 details a SQL Injection vulnerability found in PHPGurukul Online Shopping Portal version 2.0. This vulnerability allows attackers to potentially execute arbitrary SQL queries by manipulating user input in the login.php file. Specifically, the fullname, emailid, and contactno parameters are susceptible to exploitation. Successful exploitation of this vulnerability could lead to unauthorized access to sensitive data, data modification, or even complete compromise of the application’s database. Technical Details The vulnerability stems from improper sanitization and lack of input validation of the fullname, emailid, and contactno parameters within the login.php script. An attacker can inject malicious SQL code into these…

Overview CVE-2024-44658 identifies a significant security vulnerability affecting PHPGurukul Complaint Management System version 2.0. This vulnerability is classified as a SQL Injection flaw, specifically present within the subcategory.php file. Successful exploitation of this vulnerability could allow attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or even complete compromise of the system. Technical Details The SQL Injection vulnerability resides in the subcategory.php file of PHPGurukul Complaint Management System 2.0. The application fails to properly sanitize user-supplied input passed through the subcategory and category parameters. An attacker can inject malicious SQL code into these parameters, which is then…

Overview CVE-2024-44655 identifies a Cross-Site Scripting (XSS) vulnerability found in PHPGurukul Complaint Management System version 2.0. This flaw allows attackers to inject malicious scripts into the application via the ‘search’ parameter within the user-search.php file. Successfully exploiting this vulnerability could lead to session hijacking, defacement of the website, or redirection of users to malicious sites. Technical Details The vulnerability resides in the user-search.php page of the PHPGurukul Complaint Management System 2.0. The application fails to properly sanitize or encode user-supplied input in the ‘search’ parameter before rendering it in the HTML output. This allows an attacker to inject arbitrary JavaScript…

Overview A critical SQL Injection vulnerability has been identified in PHPGurukul Complaint Management System version 2.0. This vulnerability, tracked as CVE-2024-44654, allows attackers to potentially execute arbitrary SQL queries on the system’s database, potentially leading to data breaches, unauthorized access, and complete system compromise. The vulnerability is located in the `reset-password.php` file, specifically within the `email` and `mobileno` parameters. Technical Details The `reset-password.php` script in PHPGurukul Complaint Management System 2.0 is susceptible to SQL injection because it fails to properly sanitize user-supplied input before using it in database queries. An attacker can craft malicious SQL queries embedded within the `email`…

Overview CVE-2025-64758 is a medium-severity Cross-Site Scripting (XSS) vulnerability affecting Dependency-Track, an open-source Component Analysis platform. Specifically, versions of @dependencytrack/frontend prior to 4.13.6 are vulnerable. This vulnerability allows users with the `SYSTEM_CONFIGURATION` permission (typically administrators) to inject arbitrary JavaScript code into the login page through the welcome message feature. Technical Details Dependency-Track’s frontend allows administrators to configure a custom “welcome message” on the login page. This message is intended for branding purposes and accepts HTML input. However, versions before 4.13.6 failed to properly sanitize this HTML input. An attacker with `SYSTEM_CONFIGURATION` permission can inject malicious JavaScript code within HTML tags.…

Overview A high-severity command injection vulnerability, identified as CVE-2025-64756, has been discovered in the glob CLI tool. This vulnerability affects versions 10.3.7 through 11.0.3. Specifically, the vulnerability resides within the -c or --cmd option, allowing for arbitrary command execution when processing files with maliciously crafted names. This could lead to significant security risks, including complete system compromise. Technical Details The glob CLI tool is used for matching files based on shell-like patterns. When the -c or --cmd option is used in conjunction with these patterns (e.g., glob -c <command> <patterns>), the matched filenames are passed to a shell for execution.…

Overview CVE-2025-64342 describes a vulnerability found in Espressif’s ESP-IDF (Espressif Internet of Things Development Framework). This issue can cause Bluetooth advertising to stop unexpectedly when the ESP32 receives a connection request with an invalid Access Address (AA) while in advertising mode. This can lead to a denial-of-service condition and potentially disrupt the intended functionality of the IoT device. Technical Details The vulnerability occurs when the ESP32, running ESP-IDF, is in Bluetooth advertising mode. If it receives a connection request containing an invalid Access Address (AA) of either 0x00000000 or 0xFFFFFFFF, the advertising process may terminate prematurely. The underlying issue causes…

Overview CVE-2025-58407 is a high-severity vulnerability affecting kernel or driver software installed on Guest Virtual Machines (VMs). This flaw allows a malicious guest VM to potentially escape its isolation by exploiting a Time-of-Check Time-of-Use (TOCTOU) race condition within the GPU firmware interaction. Successfully exploiting this vulnerability can lead to unauthorized read and/or write operations outside the VM’s allocated memory space, effectively escaping the virtual machine environment. Technical Details The vulnerability arises from a race condition that occurs when a guest VM interacts with the host’s GPU firmware. The guest can send commands to the GPU firmware. If not properly validated…

Overview CVE-2025-55059 is a reported vulnerability concerning Cross-Site Scripting (XSS), specifically categorized as CWE-79: Improper Neutralization of Input During Web Page Generation. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, defacement, or the theft of sensitive information. Technical Details The vulnerability stems from insufficient sanitization or encoding of user-supplied input that is subsequently displayed within a web page. An attacker can exploit this by crafting malicious input (e.g., containing JavaScript code) and submitting it through a vulnerable form field, URL parameter, or other input vector. When the…