Overview A critical SQL injection vulnerability, identified as CVE-2025-13300, has been discovered in itsourcecode Web-Based Internet Laboratory Management System version 1.0. This vulnerability allows remote attackers to execute arbitrary SQL commands, potentially leading to data breaches, system compromise, and other severe consequences. The exploit is publicly available, increasing the urgency of applying mitigations. Technical Details The vulnerability resides in the /settings/controller.php file. An unknown function within this file is susceptible to SQL injection. By manipulating specific input parameters, a remote attacker can inject malicious SQL code that will be executed by the application’s database server. This can allow the attacker…
-
-
Overview A critical directory traversal vulnerability, identified as CVE-2025-36357, has been discovered in IBM Planning Analytics Local versions 2.1.0 through 2.1.14. This vulnerability allows a remote, authenticated attacker to potentially read, write, or view arbitrary files on the affected system by crafting a malicious URL request. This poses a significant risk to the confidentiality, integrity, and availability of sensitive data. Technical Details CVE-2025-36357 is a directory traversal vulnerability. It arises due to insufficient input validation on user-supplied data within the application. An attacker can exploit this by injecting “../” sequences (or similar directory traversal characters) into a URL request. This…
-
Overview CVE-2025-36299 describes a medium-severity vulnerability affecting IBM Planning Analytics Local versions 2.1.0 through 2.1.14. This vulnerability stems from the storage of sensitive information within the application’s source code. An attacker who gains access to this source code could potentially extract this information and leverage it for further malicious activities against the system. Technical Details The vulnerability exists due to the inadvertent inclusion of sensitive data, such as API keys, passwords, or internal system configurations, directly within the source code of IBM Planning Analytics Local. While the exact nature of the exposed data isn’t publicly detailed beyond “sensitive information,” its…
-
Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13299, has been discovered in itsourcecode Web-Based Internet Laboratory Management System version 1.0. This flaw allows remote attackers to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed and a proof-of-concept exploit is available, making it crucial for administrators to take immediate action. Technical Details The vulnerability resides within the /user/controller.php file of the application. By manipulating specific input parameters, an attacker can inject malicious SQL code that is then executed by the database server. This allows the attacker to bypass authentication…
-
Overview A critical SQL injection vulnerability, identified as CVE-2025-13298, has been discovered in itsourcecode Web-Based Internet Laboratory Management System version 1.0. This vulnerability allows a remote attacker to inject malicious SQL code, potentially leading to unauthorized data access, modification, or deletion. The exploit is now publicly available, making immediate action crucial. Technical Details The vulnerability exists in the /enrollment/controller.php file within the application. By manipulating input parameters passed to an unknown function within this file, an attacker can inject arbitrary SQL commands. This allows them to bypass authentication and authorization mechanisms and directly interact with the underlying database. The injected…
-
Overview CVE-2024-44664 details a SQL Injection vulnerability affecting PHPGurukul Online Shopping Portal version 2.0. This vulnerability allows attackers to inject malicious SQL code into the application, potentially leading to unauthorized data access, modification, or even complete system compromise. The vulnerable parameters are present in the product-details.php file. Technical Details The vulnerability resides within the product-details.php script of the PHPGurukul Online Shopping Portal 2.0. Specifically, the following parameters are susceptible to SQL Injection: name summary review quality price value An attacker can craft malicious SQL queries within these parameters, which, if not properly sanitized by the application, will be executed against…
-
Overview CVE-2024-44661 identifies a Cross-Site Scripting (XSS) vulnerability found in PHPGurukul Online Shopping Portal version 2.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user accounts, stealing sensitive information, or defacing the website. The vulnerability resides within the my-cart.php file through the quantity parameter. Technical Details The vulnerability stems from insufficient input validation on the quantity parameter within the my-cart.php page. An attacker can craft a malicious URL with a specially crafted quantity value containing JavaScript code. When a user visits this URL, the injected script is executed in their browser, leading to potential…
-
Overview A critical security vulnerability, identified as CVE-2024-44659, has been discovered in PHPGurukul Online Shopping Portal version 2.0. This vulnerability allows for SQL Injection through the email parameter in the forgot-password.php script. Due to its severity and ease of exploitation, this flaw poses a significant risk to organizations using this software. Technical Details The vulnerability stems from insufficient sanitization of user-supplied input within the forgot-password.php script. Specifically, the email parameter is directly incorporated into an SQL query without proper escaping or parameterization. This allows a malicious actor to inject arbitrary SQL code, potentially enabling them to: Bypass authentication mechanisms. Access…
-
Overview CVE-2025-63292 describes a security vulnerability affecting several Freebox models, including Freebox v5 HD, Freebox v5 Crystal, Freebox v6 Révolution r1–r3, Freebox Mini 4K, and Freebox One. The vulnerability exposes subscribers’ International Mobile Subscriber Identity (IMSI) identifiers in plaintext over the `FreeWifi_secure` network. This exposure occurs during the initial EAP-SIM authentication phase. Technical Details The vulnerability lies in the implementation of EAP-SIM authentication over the `FreeWifi_secure` network. Specifically, during the EAP-Response/Identity exchange, the subscriber’s full Network Access Identifier (NAI), which contains the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. This means that an attacker within Wi-Fi range (approximately…
-
Overview CVE-2024-46335 details a Cross-Site Scripting (XSS) vulnerability discovered in PHPGurukul Complaint Management System version 2.0. This vulnerability resides within the between-date-userreport.php file, specifically through the fromdate and todate parameters. A malicious actor could exploit this flaw to inject arbitrary JavaScript code into the application, potentially leading to data theft, session hijacking, or defacement of the website. Technical Details The vulnerability exists because the application fails to properly sanitize user-supplied input within the fromdate and todate parameters when generating reports. By crafting a malicious URL containing JavaScript code within these parameters, an attacker can inject the code into the page.…