Overview A file upload vulnerability, identified as CVE-2025-51736, has been discovered in HCL Technologies Ltd. Unica version 12.0.0. This vulnerability could potentially allow an attacker to upload malicious files to the server, leading to code execution and other severe consequences. While the severity and CVSS score are currently listed as ‘N/A’, it’s crucial to understand and address this issue proactively. Technical Details The vulnerability resides in the file upload functionality of HCL Unica 12.0.0. Without proper validation and sanitization of uploaded files, an attacker could bypass security measures and upload arbitrary files with executable extensions (e.g., .php, .jsp, .asp). These…
-
-
Overview CVE-2025-51735 describes a CSV (Comma Separated Values) formula injection vulnerability found in HCL Technologies Ltd.’s Unica version 12.0.0. This vulnerability allows an attacker to inject malicious formulas into CSV files generated by the application. When these files are opened by a user in spreadsheet software (like Microsoft Excel or Google Sheets), the injected formulas can be executed, potentially leading to information disclosure, arbitrary code execution, or other malicious actions. Technical Details CSV injection occurs when user-controlled data is included in a CSV file without proper sanitization or escaping. Spreadsheet applications interpret certain strings as formulas, beginning with characters such…
-
Learn why experts recommend you avoid PayPal for important transactions. Discover hidden risks, account freezes, delays, security threats, and safer alternatives for businesses. PayPal is widely recognized as one of the largest online payment service providers, known for its speed, simplicity, and global reach. While the platform offers convenience for everyday personal payments, relying on PayPal for high-value transactions or business-critical payments introduces serious risks many of which are not apparent until something goes wrong. In this article, I will give you the hidden costs, security concerns, and operational risks associated with using PayPal, helping consumers and businesses make more…
-
Overview A cross-site scripting (XSS) vulnerability has been identified in HCL Technologies Ltd. Unica 12.0.0. This vulnerability, tracked as CVE-2025-51734, could allow attackers to inject malicious scripts into the browser of unsuspecting users, potentially leading to data theft, session hijacking, or website defacement. This article provides a detailed analysis of the vulnerability, its potential impact, and steps you can take to mitigate the risk. Technical Details The XSS vulnerability in HCL Unica 12.0.0 is a [Specify Type of XSS if available e.g., Stored/Reflected/DOM-based] vulnerability. While specific details of the vulnerable component are not publicly available (beyond the reference link), XSS…
-
Overview A Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-51733, has been discovered in HCL Technologies Ltd.’s Unica 12.0.0. This vulnerability could allow an attacker to trick a user into performing actions on the Unica application without their knowledge or consent. This article provides a detailed overview of the vulnerability, its potential impact, and recommended mitigation steps. Technical Details CVE-2025-51733 is a CSRF vulnerability. CSRF vulnerabilities arise when a web application doesn’t adequately verify that a request was intentionally initiated by the authenticated user. An attacker can exploit this by crafting malicious HTML code (e.g., embedded in an email or…
-
Overview CVE-2025-12638 identifies a critical path traversal vulnerability affecting Keras version 3.11.3. This flaw resides within the keras.utils.get_file() function, specifically during the extraction of tar archives. Due to insufficient security measures during extraction, malicious actors can potentially write files outside the intended extraction directory, leading to system compromise. Technical Details The vulnerability stems from the usage of Python’s tarfile.extractall() method in keras.utils.get_file() without employing the crucial filter='data' parameter. While Keras attempts to mitigate risks using the filter_safe_paths() function, a critical race condition exists. The filtering happens before the extraction, and a PATH_MAX symlink resolution bug is triggered during the extraction…
-
Overview CVE-2025-11156 is a security vulnerability identified in the Netskope agent (NS Client) on Windows systems. A local attacker with Administrator privileges could exploit this vulnerability to cause a Denial-of-Service (DoS) condition. Successful exploitation results in a system crash, commonly known as a Blue Screen of Death (BSOD). Technical Details The vulnerability arises from the improper loading of the Netskope driver as a generic kernel service. An authenticated user with Administrator privileges can trigger this flaw, leading to a system crash. The root cause lies in insufficient validation or handling within the driver when loaded in a specific context, allowing…
-
Overview CVE-2025-12143 is a MEDIUM severity vulnerability affecting ABB Terra AC wallbox devices. This vulnerability is classified as a stack-based buffer overflow and could potentially allow an attacker to execute arbitrary code or cause a denial-of-service (DoS) condition. It is crucial to apply the recommended mitigation steps to protect your ABB Terra AC wallbox. Technical Details The vulnerability, CVE-2025-12143, is a stack-based buffer overflow that exists within the ABB Terra AC wallbox firmware. Specifically, versions up to and including 1.8.33 are affected. A stack buffer overflow occurs when a program writes data beyond the allocated memory region on the stack.…
-
Overview CVE-2025-13771 is a medium-severity Arbitrary File Read vulnerability affecting WebITR, a product developed by Uniong. This flaw allows authenticated remote attackers to exploit Relative Path Traversal techniques to download sensitive system files, potentially leading to data breaches and system compromise. Technical Details The vulnerability stems from inadequate input validation within WebITR’s file handling mechanisms. Specifically, the application fails to properly sanitize user-supplied file paths when handling file download requests. An authenticated attacker can craft a malicious request containing a relative path traversal sequence (e.g., ../../../../etc/passwd) to access files outside of the intended directory. Because authentication is required, an attacker…
-
Overview A critical vulnerability, identified as CVE-2025-13770, has been discovered in WebITR, a software developed by Uniong. This vulnerability is a SQL Injection flaw that allows authenticated remote attackers to execute arbitrary SQL commands. Successful exploitation of this vulnerability could lead to the disclosure of sensitive database contents. Technical Details The SQL Injection vulnerability in WebITR is triggered by insufficient input sanitization when processing user-supplied data. An attacker with valid authentication credentials can craft malicious SQL queries and inject them into the application’s data processing routines. By exploiting this flaw, an attacker can bypass security measures and directly interact with…