Overview CVE-2025-13758 describes a vulnerability in Devolutions Server that can lead to the exposure of credentials through unintended requests. This issue affects versions up to and including 2025.2.20 and 2025.3.8. While the severity and CVSS score are currently listed as N/A, it is crucial to understand the potential impact and implement necessary mitigation steps to protect your Devolutions Server environment. Technical Details The specific technical details of CVE-2025-13758 revolve around the possibility of the Devolutions Server handling requests in a way that inadvertently exposes sensitive credentials. Further investigation is required from Devolutions documentation or pentesting to confirm the exact mechanism.…

Overview CVE-2025-13757 describes a SQL Injection vulnerability discovered in the “last usage logs” functionality of Devolutions Server. This vulnerability affects versions up to and including 2025.2.20 and 2025.3.8. Successful exploitation of this flaw could allow an attacker to execute arbitrary SQL queries, potentially leading to data breaches, modification of sensitive information, or complete system compromise. Technical Details The vulnerability resides within the last usage logs section of Devolutions Server. Improper sanitization of user-supplied input related to filtering or querying these logs allows an attacker to inject malicious SQL code. The exact parameter vulnerable to injection isn’t publicly specified beyond “last…

Overview A critical security vulnerability, identified as CVE-2025-12419, has been discovered in Mattermost. This vulnerability affects multiple versions of Mattermost and could allow an attacker with team creation or admin privileges to take over any user account. The flaw lies in the improper validation of OAuth state tokens during OpenID Connect authentication. This blog post provides a detailed analysis of the vulnerability, its potential impact, and the necessary steps to mitigate the risk. Technical Details CVE-2025-12419 stems from a flaw in the OAuth completion flow within Mattermost’s OpenID Connect (OIDC) implementation. Specifically, the application fails to adequately validate the state…

Overview A significant security vulnerability, identified as CVE-2025-8890, has been discovered in SDMC NE6037 routers. This vulnerability allows an attacker, with administrative access, to execute arbitrary shell commands due to a command injection flaw within the router’s network diagnostics tool. This issue affects firmware versions prior to 7.1.12.2.44. Technical Details CVE-2025-8890 stems from insufficient input validation within the network diagnostics tool embedded in the SDMC NE6037 router’s firmware. An authenticated attacker, who has successfully logged into the router’s administrative portal (typically accessible via LAN), can inject malicious shell commands through the tool’s parameters. These injected commands are then executed by…

Overview A critical security vulnerability, identified as CVE-2025-13692, has been discovered in the Unlimited Elements For Elementor plugin for WordPress. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw affecting all versions up to and including 2.0. It allows unauthenticated attackers to inject malicious JavaScript code into WordPress pages, potentially compromising user accounts and website integrity. This is achieved through the upload of specially crafted SVG files. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the plugin’s SVG file upload functionality. Specifically, the plugin fails to properly sanitize user-supplied data during the upload and storage…

Overview CVE-2025-12140 is a critical security vulnerability affecting an application that utilizes an insecure redirect mechanism. Specifically, the application improperly processes the value of the redirectUrlParameter parameter. This flaw allows an unauthenticated attacker to inject and execute arbitrary code by crafting a malicious request containing a Java expression. Exploitation of this vulnerability leads to complete system compromise. This issue has been addressed in version wu#2016.1.5513#0#20251014_113353. Technical Details The vulnerability stems from the application’s failure to properly sanitize or validate the input provided through the redirectUrlParameter. Instead of treating the value as a simple URL to redirect to, the application interprets…

Overview CVE-2025-12971 is a medium-severity vulnerability affecting the Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress. This vulnerability allows authenticated attackers with Contributor-level access or higher to move arbitrary folder contents to arbitrary folders due to a misconfigured capability check. The vulnerability exists in versions up to and including 3.1.5. Technical Details The root cause of this vulnerability lies in the wcp_change_post_folder function within the plugin’s code. A flawed capability check allows users with insufficient privileges (Contributor and above) to bypass the intended authorization mechanisms. Specifically, the plugin fails to adequately verify…

Published: 2025-11-27 Overview CVE-2025-59454 identifies a security vulnerability within Apache CloudStack that could lead to unauthorized information disclosure. Specifically, a flaw in access control checks affects several APIs, potentially allowing authorized users to access data beyond their intended permissions. This article provides a comprehensive overview of the vulnerability, its potential impact, and the necessary steps for mitigation. Technical Details The vulnerability stems from insufficient permission validation within the following Apache CloudStack APIs: createNetworkACL listNetworkACLs listResourceDetails listVirtualMachinesUsageHistory listVolumesUsageHistory While these APIs require user authentication, the validation checks were inadequate, allowing a user with limited privileges to potentially access sensitive information related…

Published: 2025-11-27T12:15:47.410 Overview A critical code injection vulnerability, identified as CVE-2025-59302, has been discovered in Apache CloudStack. This vulnerability affects specific APIs accessible only to administrators, potentially allowing for unauthorized code execution within the CloudStack environment. This article provides a detailed analysis of the vulnerability, its potential impact, and the necessary steps for mitigation. Technical Details CVE-2025-59302 stems from improper control of code generation (‘Code Injection’) in the following Apache CloudStack APIs: quotaTariffCreate quotaTariffUpdate createSecondaryStorageSelector updateSecondaryStorageSelector updateHost updateStorage The vulnerability affects Apache CloudStack versions: From 4.18.0 before 4.20.2 From 4.21.0 before 4.22.0 CVSS Analysis The CVSS score for this vulnerability…

Overview A security vulnerability, identified as CVE-2025-54057, has been discovered in Apache SkyWalking. This vulnerability is classified as a Basic Cross-Site Scripting (XSS) issue due to improper neutralization of script-related HTML tags in a web page. This issue affects Apache SkyWalking versions up to and including 10.2.0. Technical Details CVE-2025-54057 describes a Basic XSS vulnerability within Apache SkyWalking. Specifically, the application fails to properly sanitize user-supplied input when rendering web pages. This allows an attacker to inject malicious JavaScript code into a SkyWalking web page, which could be executed in the context of a user’s browser. The root cause lies…