Overview CVE-2025-63708 details a Cross-Site Scripting (XSS) vulnerability affecting the SourceCodester AI Font Matcher (nid=18425, version dated 2025-10-10). This vulnerability allows remote attackers to inject and execute arbitrary JavaScript code within the browsers of users interacting with the affected application. This can lead to severe security breaches, including session cookie theft, account hijacking, and unauthorized actions performed on behalf of legitimate users. Technical Details The root cause of this XSS vulnerability lies within the application’s handling of font family names passed to the webfonts API. The application fails to properly sanitize or validate these names, allowing an attacker to inject…

Overview CVE-2025-13289 is a security vulnerability identified in the 1000projects Design & Development of Student Database Management System version 1.0. This vulnerability allows for SQL injection attacks, potentially enabling unauthorized access to sensitive student data and system compromise. The exploit is publicly available, making immediate action crucial. Technical Details The vulnerability resides in the file /TeacherLogin/Academics/SubjectDetails.php. Specifically, the SubCode argument is susceptible to SQL injection. A remote attacker can manipulate this argument to execute arbitrary SQL queries, bypassing normal security measures. CVSS Analysis Severity: MEDIUM CVSS Score: 6.3 This CVSS score indicates a vulnerability that requires some skill to exploit…

Overview A high-severity security vulnerability, identified as CVE-2025-13288, has been discovered in Tenda CH22 version 1.0.0.1 routers. This vulnerability exposes the router to remote attacks due to a buffer overflow in the fromPptpUserSetting function within the /goform/PPTPUserSetting file. Public exploits are available, increasing the urgency for users to apply mitigations. Technical Details The vulnerability stems from insufficient input validation when handling the delno argument in the fromPptpUserSetting function. By crafting a malicious request with an overly long delno value, attackers can overwrite memory buffers, potentially leading to arbitrary code execution or denial-of-service conditions. The attack can be performed remotely, making…

Overview CVE-2025-4321 describes a denial-of-service (DoS) vulnerability affecting Bluetooth devices utilizing the RS9116-WiseConnect SDK. This vulnerability can be triggered when the device receives malformed L2CAP (Logical Link Control and Adaptation Protocol) packets. Upon receiving such packets, the device enters a state requiring a hard reset to restore normal operation, effectively causing a denial of service. Technical Details The vulnerability stems from insufficient input validation within the RS9116-WiseConnect SDK’s L2CAP packet processing routines. When a malformed L2CAP packet is received, the SDK fails to handle the error gracefully, leading to a system crash or lock-up. The exact nature of the malformation…

Overview CVE-2025-13287 describes a medium severity SQL injection vulnerability found in itsourcecode Online Voting System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL commands by manipulating the id or category parameter in the /index.php?page=categories endpoint. The vulnerability is publicly known and actively exploitable, posing a significant risk to systems running the affected software. Technical Details The vulnerability stems from insufficient input validation on the id or category parameters within the /index.php?page=categories page. By injecting malicious SQL code into these parameters, an attacker can bypass intended security measures and interact directly with the underlying database. This could…

Overview CVE-2025-13286 details a security vulnerability present in itsourcecode Online Voting System version 1.0. This vulnerability is classified as a SQL Injection and allows remote attackers to potentially execute arbitrary SQL commands, leading to unauthorized access to sensitive data and system compromise. The flaw resides within the /ajax.php?action=save_user file, specifically through manipulation of the ID argument. This vulnerability has been publicly disclosed, increasing the risk of active exploitation. Technical Details The vulnerability lies in the lack of proper sanitization of user-supplied input within the /ajax.php?action=save_user endpoint. By manipulating the ID parameter, an attacker can inject malicious SQL code into the…

Overview A high-severity SQL Injection vulnerability, identified as CVE-2025-13285, has been discovered in itsourcecode Online Voting System version 1.0. This flaw allows remote attackers to potentially execute arbitrary SQL commands by manipulating the Username parameter within the /login.php file. The vulnerability is actively being exploited, making immediate action crucial to protect affected systems. Technical Details The vulnerability resides in the /login.php file of the itsourcecode Online Voting System 1.0. The application fails to properly sanitize user-supplied input to the Username parameter, allowing an attacker to inject malicious SQL code. This can lead to unauthorized access to sensitive data, modification of…

Overview CVE-2025-13280 describes a high-severity SQL injection vulnerability found in CodeAstro Simple Inventory System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL commands by manipulating the Username parameter during the login process. Publicly available exploits exist, making this a critical issue to address. Technical Details The vulnerability resides within the /index.php file, specifically in the Login component. By injecting malicious SQL code into the Username field, an attacker can bypass authentication and potentially gain unauthorized access to sensitive data stored in the database. The vulnerable function does not properly sanitize or validate user input, allowing the…

Overview CVE-2025-13279 identifies a medium-severity SQL injection vulnerability in Nero Social Networking Site version 1.0. This flaw allows a remote attacker to execute arbitrary SQL queries by manipulating the ID argument in the /profilefriends.php file. Publicly available exploit code exists, increasing the risk of exploitation. Technical Details The vulnerability stems from improper sanitization of user-supplied input passed to the ID parameter in the /profilefriends.php script. An attacker can inject malicious SQL code into this parameter, which, when processed by the application’s database query, can lead to unauthorized data access, modification, or even complete database compromise. The specific injection point lies…

Overview CVE-2025-13278 is a medium severity SQL injection vulnerability discovered in projectworlds Advanced Library Management System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL commands by manipulating the datefrom and dateto arguments in the /borrowed_book_search.php file. The vulnerability is publicly known and actively exploitable, posing a significant risk to systems running the affected software. Published: 2025-11-17T13:15:54.980 Technical Details The SQL injection vulnerability resides in the /borrowed_book_search.php file of the Advanced Library Management System 1.0. The application fails to properly sanitize user-supplied input in the datefrom and dateto parameters. This allows an attacker to inject malicious SQL…