Overview This article provides information about a critical security vulnerability identified as CVE-2025-12742 affecting both Looker-hosted and self-hosted instances of Looker. This vulnerability allows a Looker user with a Developer role to potentially execute malicious commands due to insecure processing of Teradata driver parameters. While Looker-hosted instances have already been mitigated, it is imperative that users with self-hosted instances take immediate action to upgrade to a patched version. Technical Details CVE-2025-12742 arises from the insufficient validation and sanitization of input parameters used when Looker connects to Teradata databases. A malicious actor with Developer privileges can craft specific Teradata driver parameters…

Important: This article provides information on a security vulnerability. Please apply the recommended mitigation steps as soon as possible to protect your systems. Overview CVE-2025-64730 describes a cross-site scripting (XSS) vulnerability affecting all versions of the Sony SNC-CX600W IP camera. Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the web browser of a user who accesses a compromised camera’s web interface. This could lead to session hijacking, defacement of the camera’s web interface, or the execution of malicious actions on behalf of the user. Technical Details The vulnerability stems from insufficient sanitization of user-supplied…

Overview CVE-2025-64304 describes a security vulnerability discovered in the FOD (Fuji On Demand) application. This vulnerability stems from the use of hard-coded cryptographic keys within the application. An unauthenticated attacker with local access to the application can potentially retrieve these cryptographic keys, leading to further exploitation. Technical Details The FOD application, developed by Fujitv, utilizes cryptographic keys for security purposes. However, instead of employing a secure key management system, these keys are embedded directly within the application’s code. This hardcoding makes them accessible to anyone with the ability to analyze the application’s binaries or memory. A local attacker without authentication…

Overview This article provides a detailed analysis of CVE-2025-62497, a cross-site request forgery (CSRF) vulnerability affecting Sony SNC-CX600W IP cameras. This vulnerability allows an attacker to perform unauthorized actions on the camera if a logged-in user visits a malicious website. It is crucial for users of the SNC-CX600W to understand the potential impact and take immediate steps to mitigate the risk. Technical Details CVE-2025-62497 is a Cross-Site Request Forgery (CSRF) vulnerability. This means that if a user with administrative privileges on the SNC-CX600W is tricked into visiting a specially crafted webpage while logged into the camera’s web interface, an attacker…

Overview A critical security vulnerability, identified as CVE-2025-13559, has been discovered in the EduKart Pro plugin for WordPress. This vulnerability allows unauthenticated attackers to escalate their privileges to administrator level, potentially leading to complete website takeover. All versions of the plugin up to and including 1.0.3 are affected. Technical Details The vulnerability lies within the edukart_pro_register_user_front_end function. This function fails to properly validate the user role specified during registration. An attacker can exploit this by submitting a registration request with the ‘administrator’ role. Because the function doesn’t restrict allowed roles, the attacker is granted administrator privileges upon successful registration. CVSS…

Overview A security vulnerability, identified as CVE-2025-13558, has been discovered in the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress. This medium-severity vulnerability allows authenticated attackers with Subscriber-level access (and higher roles) to delete arbitrary posts by changing their status to ‘trash’. This is due to a missing capability check on the deleteUserCcDraftPost function within the plugin. All versions up to and including 8.7.0 are affected. This vulnerability can lead to significant disruption and data loss on affected WordPress sites. Technical Details The vulnerability stems from the absence of proper authorization checks within the deleteUserCcDraftPost function. This function,…

Overview This blog post details a critical vulnerability, CVE-2025-13507, affecting MongoDB’s time series processing functionality. This medium-severity issue can lead to process termination due to inconsistent object size validation. The vulnerability impacts MongoDB Server versions 7.0 prior to 7.0.26, 8.0 prior to 8.0.16, and 8.2 prior to 8.2.1. It is highly recommended that affected users upgrade to a patched version as soon as possible. Technical Details CVE-2025-13507 arises from inconsistent validation of object sizes during time series data processing within MongoDB. Specifically, an oversized BSON document may bypass initial size checks. This leads to the document being processed further down…

Overview A critical security vulnerability, identified as CVE-2025-13068, has been discovered in the Telegram Bot & Channel plugin for WordPress. This flaw is a Stored Cross-Site Scripting (XSS) vulnerability present in versions up to and including 4.1. Due to insufficient input sanitization and output escaping of the Telegram username field, unauthenticated attackers can inject malicious JavaScript code into the WordPress database. This code is then executed in the browsers of users who access affected pages, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability stems from the lack of proper sanitization and escaping of…

Overview CVE-2025-12893 is a medium-severity vulnerability affecting MongoDB servers running on Windows and Apple operating systems. This flaw exposes a weakness in TLS certificate validation, potentially allowing unauthorized clients and servers to establish connections. Specifically, the issue involves improper handling of Extended Key Usage (EKU) requirements during TLS handshakes. This can lead to insecure connections being established even when the presented certificate does not meet the documented EKU standards. Technical Details The vulnerability manifests in two key scenarios: Client Authentication: On Windows and Apple systems, MongoDB servers may accept client certificates during a TLS handshake even if the certificate specifies…

Overview CVE-2025-10646 identifies a medium-severity vulnerability in the Search Exclude plugin for WordPress. This flaw allows authenticated attackers with Contributor-level access or higher to modify plugin settings without proper authorization. Specifically, they can add arbitrary posts to the search exclusion list, potentially impacting website search functionality and content visibility. Technical Details The vulnerability resides in the Base::get_rest_permission() method within the Search Exclude plugin. Versions up to and including 2.5.7 lack sufficient capability checks when this method is called. This oversight enables users with Contributor permissions (and higher roles like Author, Editor, and Administrator) to bypass intended security restrictions and alter…