Overview This article provides a comprehensive analysis of CVE-2025-54339, a critical security vulnerability identified in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. This vulnerability allows for remote escalation of privileges due to Incorrect Access Control. Technical Details CVE-2025-54339 stems from an improperly implemented access control mechanism within the Application Server component of Desktop Alert PingAlert. A remote attacker can exploit this flaw to gain elevated privileges beyond their intended permissions. The specific technical details of the exploit are not publicly available to prevent further exploitation. However, successful exploitation could lead to unauthorized access to sensitive data,…

Published: 2025-11-14T18:15:47.727 Overview A sensitive information disclosure vulnerability, identified as CVE-2025-4618, has been discovered in Palo Alto Networks Prisma® Browser. This flaw allows a locally authenticated, non-administrative user to potentially retrieve sensitive data directly from the Prisma Browser application. This poses a significant risk to the confidentiality of data processed and stored by the browser. Technical Details CVE-2025-4618 is a sensitive information disclosure vulnerability. The exact mechanism by which the data is leaked is not publicly detailed at this time, but it involves a local user gaining unauthorized access to data stored or managed by the Prisma Browser. The vulnerability…

Overview CVE-2025-4617 details a security vulnerability found in Palo Alto Networks Prisma® Browser running on Windows operating systems. This flaw allows a locally authenticated, non-administrative user to bypass the screenshot control feature of the browser. This means that a user with limited privileges on a compromised system could potentially take screenshots of sensitive information displayed within the Prisma Browser, even when such functionality is restricted by policy. Technical Details The vulnerability stems from insufficient policy enforcement within the Prisma Browser’s screenshot control mechanism. The specific technical details of the bypass are not publicly available to prevent further exploitation, but the…

Overview CVE-2025-4616 is a security vulnerability affecting Palo Alto Networks Prisma® Browser. Discovered on 2025-11-14, this vulnerability allows a locally authenticated, non-administrative user to potentially revert the browser’s security controls due to insufficient validation of untrusted input. This could lead to a compromise of the security posture intended for the Prisma Browser environment. Technical Details The core of CVE-2025-4616 lies in the insufficient validation of input received by Prisma Browser. A locally authenticated, non-admin user can manipulate input in a way that circumvents the intended security measures. This could involve modifying configuration files or leveraging specific browser functionalities in unintended…

Overview A security vulnerability, identified as CVE-2025-13172, has been discovered in CodeAstro Gym Management System version 1.0. This flaw allows for SQL injection through the manipulation of the ID argument in the /admin/view-member-report.php file. The vulnerability can be exploited remotely, posing a significant risk to systems using the affected software. This exploit is publicly available and actively exploitable. Immediate action is recommended to mitigate the risk. Technical Details The vulnerability lies within the /admin/view-member-report.php file of CodeAstro Gym Management System 1.0. By manipulating the ID parameter in the URL, an attacker can inject malicious SQL code. This injected code can…

Overview A medium-severity SQL injection vulnerability, identified as CVE-2025-13171, has been discovered in ZZCMS 2023. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating the keyword argument in the /admin/wangkan_list.php file. The vulnerability is publicly known and actively exploitable, posing a significant risk to systems running affected versions of ZZCMS. Technical Details The vulnerability lies within the /admin/wangkan_list.php file of ZZCMS 2023. Improper sanitization of user-supplied input in the keyword parameter allows attackers to inject malicious SQL code. This injected code can then be executed by the database server, potentially allowing the attacker to read, modify,…

Overview CVE-2025-13204 details a Prototype Pollution vulnerability found in the widely used npm package expr-eval. This vulnerability allows an attacker with access to the expression evaluation interface to leverage JavaScript’s prototype-based inheritance model to potentially achieve arbitrary code execution on the affected system. A patched version is available in the expr-eval-fork package. Technical Details Prototype Pollution occurs when an attacker can manipulate the properties of JavaScript’s built-in object prototypes (e.g., Object.prototype). By modifying these prototypes, the attacker can inject malicious code that will be inherited by all objects created using that prototype. In the context of expr-eval, if the library…

Overview CVE-2025-8870 is a security vulnerability affecting certain platforms running Arista EOS (Extensible Operating System). This vulnerability allows a malicious actor with access to the device’s serial console to trigger an unexpected device reload by providing specially crafted input. This can lead to denial-of-service (DoS) conditions. Technical Details The vulnerability stems from improper handling of specific input sequences received through the serial console interface. Under certain circumstances, this malformed input can cause a critical error within the EOS operating system, resulting in a device reload. The exact nature of the vulnerable code segment is not publicly disclosed in detail, however…

Overview A critical security vulnerability, identified as CVE-2025-64446, has been discovered in Fortinet FortiWeb. This vulnerability is a relative path traversal flaw that could allow an attacker to execute administrative commands on the affected system. The vulnerability impacts several versions of FortiWeb, specifically versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. Technical Details CVE-2025-64446 is a relative path traversal vulnerability. This means an attacker can manipulate file paths within HTTP or HTTPS requests to access restricted directories and potentially execute administrative commands. The attacker can craft malicious requests that navigate outside…

Overview A critical SQL injection vulnerability, identified as CVE-2025-13170, has been discovered in the Simple Online Hotel Reservation System version 1.0. This vulnerability allows remote attackers to execute arbitrary SQL commands, potentially leading to data breaches, account compromise, and complete system takeover. The vulnerability resides within the /admin/edit_account.php file and is exploitable through manipulation of the admin_id parameter. A proof-of-concept exploit is publicly available, increasing the urgency for immediate mitigation. Technical Details The vulnerability exists because the /admin/edit_account.php script does not properly sanitize user-supplied input passed through the admin_id parameter. An attacker can inject malicious SQL code into this parameter,…