Overview CVE-2025-13238 describes a medium-severity vulnerability found in Bdtask Flight Booking Software version 4. This security flaw allows for unrestricted file uploads, potentially enabling attackers to execute arbitrary code on the server. The vendor has been notified but has not yet responded to address this vulnerability. Technical Details The vulnerability resides within the /agent/profile/edit endpoint, specifically on the Edit Profile Page. An attacker can manipulate the file upload process to bypass security checks and upload malicious files, such as PHP scripts or other executable content. This unrestricted upload capability can be exploited remotely. The vulnerability allows an attacker to upload…

Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13237, has been discovered in itsourcecode Inventory Management System version 1.0. This flaw allows remote attackers to execute arbitrary SQL commands through the manipulation of the U_USERNAME argument in the /LogSignModal.PHP file. This vulnerability has been publicly disclosed and may be actively exploited. Technical Details The vulnerability stems from inadequate sanitization of user-supplied input within the /LogSignModal.PHP file. Specifically, the U_USERNAME parameter, used during login or signup processes, is not properly escaped or validated before being used in a SQL query. This allows an attacker to inject malicious SQL code into the…

Overview CVE-2025-12482 describes a critical SQL Injection vulnerability found in the Booking for Appointments and Events Calendar – Amelia plugin for WordPress. This vulnerability affects all versions up to, and including, 1.2.35. Unauthenticated attackers can exploit this flaw to inject malicious SQL queries, potentially leading to sensitive data extraction from the WordPress database. This vulnerability has been publicly disclosed and a patch is available. Technical Details The vulnerability resides within the handling of the ‘search’ parameter. Specifically, insufficient escaping of user-supplied input and inadequate preparation of the existing SQL query allows an attacker to append arbitrary SQL code. By crafting…

Overview CVE-2025-13236 identifies a medium severity SQL Injection vulnerability present in itsourcecode Inventory Management System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL commands by manipulating the `ID` argument in the `index.php?view=edit` file. Successful exploitation can lead to unauthorized data access, modification, or even complete system compromise. Technical Details The vulnerability resides in the `/admin/products/index.php?view=edit` file. Specifically, the application fails to properly sanitize user-supplied input for the `ID` parameter. By injecting malicious SQL code into this parameter, an attacker can bypass authentication and authorization mechanisms, potentially gaining full access to the underlying database. The attack is…

Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13235, has been discovered in itsourcecode Inventory Management System version 1.0. This vulnerability affects the /admin/login.php file and allows remote attackers to execute arbitrary SQL commands by manipulating the user_email parameter. The exploit has been publicly disclosed, making immediate mitigation crucial. Technical Details The vulnerability resides within the login functionality of the application. Specifically, the /admin/login.php script fails to properly sanitize user-supplied input for the user_email parameter. An attacker can craft a malicious SQL query embedded within the user_email field, which is then directly executed against the database. This allows the attacker…

Overview CVE-2025-13234 is a medium-severity SQL injection vulnerability discovered in itsourcecode Inventory Management System version 1.0. This vulnerability allows remote attackers to execute arbitrary SQL commands on the system’s database, potentially leading to data breaches, system compromise, and other malicious activities. The vulnerability exists within the `/index.php?q=product` file, specifically affecting how the `PROID` argument is processed. Technical Details The vulnerability stems from insufficient input sanitization of the `PROID` parameter passed to the `/index.php?q=product` endpoint. An attacker can manipulate this parameter by injecting malicious SQL code. Because the application fails to properly validate and escape user-supplied input, the injected SQL commands…

Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13233, has been discovered in itsourcecode Inventory Management System version 1.0. This vulnerability allows a remote attacker to inject arbitrary SQL code via a specific parameter in the /index.php?q=single-item endpoint. Successful exploitation of this vulnerability could lead to unauthorized access to sensitive data, modification of data, or even complete compromise of the database. The vulnerability was publicly disclosed on November 16, 2025, and proof-of-concept exploit code is readily available, increasing the risk of exploitation. Technical Details The vulnerability resides within the /index.php?q=single-item file of the itsourcecode Inventory Management System 1.0. The application…

Overview CVE-2025-13232 describes a Cross-Site Scripting (XSS) vulnerability discovered in ProjectSend, a popular self-hosted file sharing application. This vulnerability affects versions up to and including r1720. Exploitation of this flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking, defacement, or the execution of arbitrary code in the context of the user’s browser. A patch is available and upgrading is strongly recommended. Technical Details The vulnerability resides within the File Editor/Custom Download Aliases component of ProjectSend. Specifically, an unknown function within this component is susceptible to manipulation that allows for XSS attacks. The attack can…

Overview CVE-2025-13221 is a medium severity vulnerability affecting Intelbras UnniTI version 24.07.11. This vulnerability allows for the unprotected storage of user credentials in plaintext, specifically within the /xml/sistema/usuarios.xml file. An attacker can remotely exploit this flaw by manipulating the Usuario/Senha argument. Technical Details The vulnerability resides in an unknown function within the /xml/sistema/usuarios.xml file. By manipulating the Usuario/Senha argument, an attacker can cause the system to store credentials in plaintext within the XML file. The exposed data contains sensitive user authentication information, potentially granting unauthorized access to the affected system. CVSS Analysis The vulnerability has been assigned a CVSS score…

Overview CVE-2025-13210 identifies a medium severity SQL injection vulnerability found in itsourcecode Inventory Management System version 1.0. This vulnerability allows a remote attacker to inject malicious SQL code through the PROMODEL parameter in the /admin/products/index.php?view=add file. The exploit has been publicly disclosed and may be actively exploited. Technical Details The vulnerability resides within the /admin/products/index.php?view=add file of the itsourcecode Inventory Management System 1.0. Specifically, the application fails to properly sanitize user-supplied input provided via the PROMODEL parameter. This lack of sanitization allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The attack…