Overview CVE-2025-13787 is a medium severity vulnerability affecting ZenTao project management software, specifically versions up to 21.7.6-8564. This flaw allows remote attackers to potentially delete arbitrary files due to improper privilege management in the file deletion functionality. Successful exploitation of this vulnerability could lead to data loss and disruption of project workflows. Immediate action is recommended to mitigate this risk. Technical Details The vulnerability resides within the file::delete function located in the module/file/control.php file of the ZenTao application. The issue stems from insufficient validation of the fileID argument when attempting to delete a file. A malicious actor could manipulate this…

Overview A high-severity code injection vulnerability, identified as CVE-2025-13786, has been discovered in WTCMS. This flaw allows a remote attacker to inject arbitrary code by manipulating the content argument in the fetch function of the /index.php file. The vulnerability affects versions up to commit 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Exploit code is publicly available, increasing the urgency for users to assess and address this risk. Notably, the vendor has not responded to disclosure attempts. Given WTCMS’s continuous delivery model with rolling releases, specific affected versions and patch details are unavailable. Technical Details The vulnerability resides within the fetch function of the /index.php file in…

Overview CVE-2025-13785 describes a medium severity information disclosure vulnerability found in yungifez Skuul School Management System up to version 2.6.5. The vulnerability resides in the image handler component’s processing of the /user/profile file. A remote attacker can exploit this issue to potentially gain access to sensitive user information. The vendor has been contacted, but there has been no response. Technical Details The vulnerability exists due to insufficient input validation and sanitization when handling image uploads or processing profile information via the /user/profile endpoint. An attacker can manipulate image parameters or other profile-related data sent to this endpoint, leading to the…

Overview A Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-13784, has been discovered in yungifez Skuul School Management System up to version 2.6.5. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user data and application functionality. The vendor was notified but did not respond. Technical Details The vulnerability resides within the SVG File Handler, specifically affecting the /dashboard/schools/1/edit endpoint. By manipulating this endpoint, a remote attacker can inject malicious scripts that are then executed within the context of other users’ browsers. This is a stored XSS vulnerability, meaning the malicious script is stored on the…

Overview A significant security vulnerability, identified as CVE-2025-13783, has been discovered in taosir WTCMS. This flaw, affecting versions up to commit hash 01a5f68a3dfc2fdddb44eed967bb2d4f60487665, allows for remote SQL injection attacks. The vendor was notified but did not respond. Technical Details The vulnerability resides within the CommentadminController.class.php file, specifically in the check/uncheck/delete functions of the application/Comment/Controller/ component. By manipulating the ids argument, a remote attacker can inject malicious SQL queries. The lack of proper input sanitization allows for arbitrary database manipulation, potentially leading to data breaches, unauthorized access, or complete system compromise. CVSS Analysis The Common Vulnerability Scoring System (CVSS) assigns this…

Overview CVE-2025-66433 describes a medium-severity security vulnerability affecting HTCondor Access Point. Specifically, versions before 24.12.14, 25.0.3, and 25.3.1 are susceptible to user impersonation. An authenticated user can potentially impersonate other users on the same local machine by submitting a specifically crafted batch job. This vulnerability has been addressed in versions 24.12.14, 25.0.3, and 25.3.1. The earliest affected version is 24.7.3. Technical Details The vulnerability stems from insufficient validation of user identity during batch job submission within the HTCondor Access Point. An authenticated user can manipulate certain parameters within the job submission process to assume the identity of another local user.…

Overview CVE-2025-66432 is a medium-severity vulnerability affecting Oxide control plane versions 15 through 17 (prior to 17.1). This flaw allows API tokens to be renewed even after their designated expiration date. This can lead to unauthorized access and potential security breaches if exploited. Technical Details The vulnerability stems from a logic error within the token renewal process of the Oxide control plane. Specifically, the system fails to properly validate the expiration status of a token before allowing it to be renewed. This means that a token, which should no longer be valid, can be extended, effectively bypassing the intended expiration…

Overview CVE-2025-13782 describes a high-severity SQL injection vulnerability affecting WTCMS (version up to commit 01a5f68a3dfc2fdddb44eed967bb2d4f60487665). This vulnerability resides within the SlideController component, specifically in the delete function of the application/Admin/Controller/SlideController.class.php file. A malicious actor can exploit this flaw by manipulating the ids argument to execute arbitrary SQL queries, potentially compromising the entire database. Technical Details The vulnerability stems from insufficient sanitization of the ids parameter passed to the delete function in the SlideController. This lack of input validation allows an attacker to inject malicious SQL code into the query, leading to unauthorized data access, modification, or deletion. The attack can…

Overview CVE-2025-66424 is a medium severity vulnerability affecting Tryton, an open-source business management system. Specifically, versions 6.0 before 7.6.11 are susceptible to a flaw where access rights are not properly enforced during data export operations. This could allow unauthorized users to export sensitive data they should not have access to. Patches are available in versions 7.6.11, 7.4.21, 7.0.40, and 6.0.70. Technical Details The vulnerability stems from insufficient access control checks within the data export functionality of Tryton. Without proper validation of user permissions before initiating an export, malicious or compromised accounts could potentially bypass intended restrictions and extract data from…

Overview CVE-2025-66423 is a high-severity access control vulnerability affecting Tryton, an open-source enterprise resource planning (ERP) system. Specifically, versions 6.0 before 7.6.11 do not properly enforce access rights for the HTML editor route. This flaw allows unauthorized users to potentially access or manipulate sensitive data within the Tryton system via the HTML editor, bypassing intended security measures. Patches are available in versions 7.6.11, 7.4.21, 7.0.40, and 6.0.70. Technical Details The vulnerability lies in the lack of proper access control checks on the route responsible for handling requests to the HTML editor functionality within Tryton. This means that an attacker, potentially…