Overview A critical SQL injection vulnerability, identified as CVE-2025-63532, has been discovered in the Blood Bank Management System version 1.0. This flaw resides within the `cancel.php` component and allows a remote attacker to execute arbitrary SQL commands by manipulating user-supplied input to bypass authentication mechanisms. Technical Details The vulnerability stems from insufficient input sanitization in the `cancel.php` file. Specifically, the application fails to properly escape or validate user-provided data used within SQL queries. An attacker can inject malicious SQL code through the search field, leading to unauthorized data access, modification, or even complete database compromise. The injection point lies within…

Overview CVE-2025-63095 details a Denial of Service (DoS) vulnerability found in version 0.1.0 of the Tempus Ex hello-video-codec. The vulnerability stems from insufficient input validation within the BitstreamWriter::write_bits() function. A malicious actor can exploit this flaw by providing crafted input that triggers a resource exhaustion or other condition leading to service disruption. Technical Details The root cause of the vulnerability lies in the BitstreamWriter::write_bits() function, specifically the lack of proper bounds checking or sanitization of the input it receives. The vulnerable code (at commit 3e9551c699311ea12ad7f2fce9562fbc990d524c) does not adequately verify the size or format of the data being written to the…

Overview CVE-2025-61229 identifies a security vulnerability affecting Shirt Pocket’s SuperDuper! version 3.10 and earlier. This flaw allows a local attacker to potentially modify the default task template within the application. By doing so, the attacker can execute an arbitrary preflight script with root privileges and Full Disk Access. This effectively bypasses macOS’s built-in privacy controls, granting unauthorized access to sensitive system data. Technical Details The vulnerability stems from insufficient input validation or access control mechanisms within SuperDuper! related to the default task template. A local attacker, with sufficient permissions to modify application-related files (but not necessarily root privileges initially), can…

Overview CVE-2025-61228 is a security vulnerability identified in Shirt Pocket SuperDuper! versions 3.10 and earlier. This flaw allows a local attacker to potentially execute arbitrary code on a vulnerable system. The vulnerability stems from weaknesses in the software’s update mechanism. Technical Details The vulnerability arises from insufficient validation within the SuperDuper! update process. A local attacker with sufficient privileges could potentially manipulate the update process to inject malicious code. This could involve exploiting weaknesses in how SuperDuper! verifies the integrity of downloaded updates or how it handles file permissions during the update installation. CVSS Analysis As of the published date…

Overview A critical security vulnerability, identified as CVE-2025-57489, has been discovered in Shirt Pocket SuperDuper! version 3.10. This vulnerability allows a local attacker to escalate their privileges to root, potentially gaining full control of the affected system. The issue stems from incorrect access control within the SDAgent component, specifically involving the improper use of a setuid binary. Technical Details CVE-2025-57489 arises from an incorrect access control implementation within the SDAgent component of SuperDuper! v3.10. The vulnerable component uses a setuid binary that, under certain circumstances, fails to properly validate user input or permissions. This allows an attacker with limited privileges…

Overview A high-severity denial-of-service (DoS) vulnerability, identified as CVE-2025-55222, has been discovered in the Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability stems from the improper handling of specifically crafted network packets within the Modbus TCP and Modbus RTU over TCP USB Function functionality. An attacker can exploit this flaw by sending an unauthenticated malicious message via Modbus RTU over TCP on port 503, leading to a denial-of-service condition. Technical Details The vulnerability arises from a lack of proper input validation when processing Modbus RTU over TCP messages on port 503. A specially crafted packet can overwhelm the device’s resources,…

Overview A high-severity denial-of-service (DoS) vulnerability, identified as CVE-2025-55221, has been discovered in Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability allows an unauthenticated attacker to cause a denial of service condition by sending a specially crafted network packet via Modbus TCP over port 502. The flaw resides in the Modbus TCP and Modbus RTU over TCP USB Function functionality. This vulnerability necessitates immediate attention and mitigation measures to prevent potential disruptions to industrial control systems (ICS) and operational technology (OT) environments. Technical Details CVE-2025-55221 stems from improper handling of specific Modbus TCP requests within the Socomec DIRIS Digiware M-70…

Overview A high-severity denial-of-service (DoS) vulnerability, identified as CVE-2025-54851, has been discovered in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability allows an unauthenticated attacker to trigger a denial of service condition by sending specially crafted network requests. This could severely impact the availability and reliability of systems relying on the affected device. Technical Details The vulnerability stems from the device’s handling of specific Modbus TCP messages. Specifically, an attacker can trigger the denial-of-service condition by sending a single Modbus TCP message to port 503 using the Write Single Register…

Overview A high-severity denial-of-service (DoS) vulnerability, identified as CVE-2025-54850, has been discovered in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 version 1.6.9. This vulnerability allows an unauthenticated attacker to disrupt the device’s operation by sending a specially crafted series of network requests. Technical Details The vulnerability lies in the device’s handling of Modbus RTU over TCP messages. An attacker can trigger a denial-of-service condition by sending a specific sequence of Modbus RTU over TCP messages to port 503 using the Write Single Register function code (6). The attack sequence involves: Sending a message…

Overview CVE-2025-54849 details a high-severity denial-of-service (DoS) vulnerability affecting the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 version 1.6.9. A specially crafted sequence of network requests can cause the device to enter a denial-of-service state, rendering it unresponsive. This vulnerability can be exploited by unauthenticated attackers on the network. Technical Details The vulnerability lies in the device’s handling of Modbus TCP messages. Specifically, an attacker can trigger the DoS condition by sending a single Modbus TCP message to port 502. This message uses the Write Single Register function code (6) to write the value…