Overview CVE-2025-63528 details a critical cross-site scripting (XSS) vulnerability identified in version 1.0 of the Blood Bank Management System. This vulnerability resides within the blooddinfo.php component and allows attackers to inject malicious JavaScript code into the error parameter. Due to inadequate input sanitization and encoding, the injected script executes in the victim’s browser when they access the vulnerable page, potentially leading to account compromise, data theft, or defacement of the application. Technical Details The vulnerability stems from the application’s failure to properly sanitize or encode user-supplied input passed through the error parameter in the blooddinfo.php script. An attacker can craft…

Overview CVE-2025-63527 is a high-severity cross-site scripting (XSS) vulnerability discovered in the Blood Bank Management System version 1.0. This vulnerability allows attackers to inject malicious JavaScript code into user profiles, potentially compromising user accounts and data. The vulnerability is present in the updateprofile.php and hprofile.php components. Technical Details The Blood Bank Management System 1.0 fails to properly sanitize or encode user-supplied input within the updateprofile.php and hprofile.php files. Specifically, the application is vulnerable to stored XSS through the following parameters: hname hemail hpassword hphone hcity An attacker can inject malicious JavaScript payloads into these parameters. When a user views the…

A critical security vulnerability, identified as CVE-2025-63525, has been discovered in Blood Bank Management System version 1.0. This flaw allows authenticated attackers to escalate their privileges and perform unauthorized actions, potentially leading to severe consequences. Overview This article provides a comprehensive overview of CVE-2025-63525, including its technical details, CVSS analysis, potential impact, and recommended mitigation steps. Administrators of systems running Blood Bank Management System 1.0 are strongly advised to review this information and take immediate action to protect their systems. Technical Details CVE-2025-63525 is a privilege escalation vulnerability that exists within the delete.php script of the Blood Bank Management System…

Overview A security vulnerability has been identified in FeehiCMS version 2.1.1, tracked as CVE-2025-63523. This flaw allows an authenticated attacker to bypass intended server-side immutability for parameters presented to the client as “read-only.” By intercepting and modifying these parameters during transit, the attacker can trick the backend into accepting the changes, potentially leading to unintended username modifications. Technical Details FeehiCMS 2.1.1 fails to properly enforce server-side immutability on certain user-related parameters. These parameters are intended to be read-only from the client’s perspective. However, the application does not adequately validate or sanitize these parameters upon receiving them from the client. This…

Overview CVE-2025-63522 identifies a Reverse Tabnabbing vulnerability affecting FeehiCMS version 2.1.1. This vulnerability exists within the Comments Management functionality. While the CVSS score is currently N/A, Reverse Tabnabbing can pose a serious threat if exploited, potentially leading to phishing attacks and data theft. It’s crucial for FeehiCMS users to understand the risks and take necessary precautions. Technical Details Reverse Tabnabbing occurs when a malicious website, linked from a vulnerable page, gains partial control over the originating page through the window.opener JavaScript property. Specifically, when a user clicks on a link within the Comments Management section of FeehiCMS 2.1.1, a newly…

Overview CVE-2025-63520 identifies a Cross-Site Scripting (XSS) vulnerability within FeehiCMS version 2.1.1. This vulnerability is located in the User Update functionality, specifically through the id parameter of the ?r=user%2Fupdate route. An attacker can exploit this flaw to inject malicious scripts into the application, potentially compromising user accounts and data. Technical Details The vulnerability stems from insufficient input validation and sanitization of the id parameter within the User Update feature. By crafting a malicious URL that includes JavaScript code in the id parameter, an attacker can inject and execute arbitrary scripts within the context of a user’s browser when they access…

Overview CVE-2025-13129 describes an Improper Enforcement of Behavioral Workflow vulnerability found in Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co.’s Onaylarım application. This vulnerability allows for potential misuse of functionality within the application. The reported versions affected range from 25.09.26.01 through 18112025. Technical Details The vulnerability stems from a lack of proper validation and enforcement of the intended behavioral workflow within Onaylarım. This can lead to attackers potentially bypassing intended steps or manipulating the workflow logic to gain unauthorized access or manipulate data. The specific method of exploitation isn’t detailed in the initial CVE description, but the…

Overview CVE-2024-56089 details a vulnerability within Technitium DNS Server, specifically affecting versions up to and including v13.2.2. This security flaw enables attackers to perform DNS cache poisoning attacks by exploiting the ‘birthday attack’ method. Successfully exploiting this vulnerability allows attackers to inject fake DNS responses into the DNS server’s cache, potentially redirecting users to malicious websites or services. Technical Details The vulnerability stems from insufficient randomization in the DNS query ID generation process within the Technitium DNS Server. The birthday attack leverages the probability that, in a set of randomly chosen elements, a pair of elements will share the same…

Overview CVE-2025-49643 describes a vulnerability in Zabbix where an authenticated user, including the Guest user, can cause a disproportionate CPU load on the webserver. This is achieved by sending specially crafted parameters to the /imgstore.php endpoint. Successfully exploiting this vulnerability could lead to a denial of service (DoS) condition, impacting the availability of the Zabbix monitoring system. Technical Details The vulnerability resides within the imgstore.php file of Zabbix. It appears that the processing of image data or parameters passed to this script lacks proper input validation and sanitization. An attacker can craft malicious input that forces the webserver to consume…

Overview CVE-2025-49642 describes a security vulnerability affecting AIX Zabbix Agent builds. This vulnerability allows local users with write access to the /home/cecuser directory to potentially hijack library loading, leading to arbitrary code execution within the context of the Zabbix Agent. This happens due to insecure default configurations in certain Zabbix Agent builds on AIX. Technical Details The vulnerability stems from how the Zabbix Agent on AIX handles library loading. If a user has write access to the /home/cecuser directory, they can place malicious shared libraries (e.g., .so files) in that directory. When the Zabbix Agent starts or loads certain components,…