Overview CVE-2025-13571 details a medium severity SQL injection vulnerability found in the Simple Food Ordering System version 1.0. The vulnerability exists in the /listorder.php file and can be exploited remotely by manipulating the ID argument. This could allow attackers to execute arbitrary SQL commands, potentially leading to data breaches or unauthorized access. Technical Details The vulnerability lies within the /listorder.php file, specifically how the application handles user-supplied input for the ID parameter. Insufficient sanitization or escaping of this parameter allows an attacker to inject malicious SQL code. When the application executes the constructed SQL query, the injected code is executed…
-
-
Overview CVE-2025-13570 identifies a critical SQL injection vulnerability within the itsourcecode COVID Tracking System version 1.0. This flaw allows attackers to potentially execute arbitrary SQL commands, leading to unauthorized data access, modification, or even complete system compromise. Given the sensitivity of data often managed by such systems, this vulnerability poses a significant risk. Technical Details The vulnerability resides in the /admin/?page=state file. An attacker can manipulate the ID argument within the URL to inject malicious SQL code. This is a classic example of a GET-based SQL injection vulnerability. The affected functionality does not properly sanitize user-supplied input before using it…
-
Overview A critical security vulnerability, identified as CVE-2025-13569, has been discovered in itsourcecode COVID Tracking System version 1.0. This vulnerability is a SQL injection flaw that could allow attackers to remotely execute arbitrary SQL commands, potentially compromising the entire system and its data. Technical Details The vulnerability exists within the /admin/?page=city endpoint. Specifically, the ID parameter is vulnerable to SQL injection. An attacker can manipulate this parameter to inject malicious SQL code that interacts directly with the database. Because the exploit is public, the system is vulnerable to attacks. CVSS Analysis CVE ID: CVE-2025-13569 Severity: MEDIUM CVSS Score: 6.3 A…
-
Overview CVE-2025-13568 is a medium severity security vulnerability affecting itsourcecode COVID Tracking System version 1.0. This flaw allows for remote SQL injection, potentially enabling attackers to access, modify, or delete sensitive data within the system’s database. The vulnerability resides in the `/admin/?page=people` endpoint and is triggered through manipulation of the `ID` argument. Technical Details The vulnerability is a SQL injection flaw located in the `/admin/?page=people` functionality of the itsourcecode COVID Tracking System 1.0. Specifically, the `ID` parameter within this page is not properly sanitized, allowing an attacker to inject malicious SQL code. By crafting a specific URL with a manipulated…
-
Overview CVE-2025-13567 identifies a critical SQL Injection vulnerability discovered in itsourcecode COVID Tracking System version 1.0. This flaw allows remote attackers to execute arbitrary SQL commands by manipulating the ‘ID’ parameter within the `/admin/?page=establishment` endpoint. The vulnerability is publicly known and actively exploitable, posing a significant risk to systems utilizing this software. Technical Details The vulnerability stems from insufficient input sanitization of the ‘ID’ parameter when handling requests to the `/admin/?page=establishment` page. An attacker can inject malicious SQL code into this parameter, which the application then executes against its database. This can lead to unauthorized data access, modification, or even…
-
Published: 2025-11-23 Overview CVE-2025-13566 describes a low-severity double free vulnerability found in the nnn file manager, specifically in versions up to 5.1. This vulnerability occurs in the show_content_in_floating_window/run_cmd_as_plugin function within the nnn/src/nnn.c file. A successful exploit could potentially lead to denial of service or other unexpected behavior. Technical Details The vulnerability stems from a double free condition within the identified function. A double free occurs when memory that has already been freed is freed again. This can corrupt the memory management structures, leading to unpredictable program behavior. The specific code affected is located in the nnn/src/nnn.c file, within the show_content_in_floating_window/run_cmd_as_plugin…
-
Overview CVE-2025-13565 describes a medium-severity vulnerability found in SourceCodester Inventory Management System version 1.0. This vulnerability allows for weak password recovery due to improper handling of the password reset process. An attacker can remotely exploit this flaw to potentially gain unauthorized access to user accounts. Technical Details The vulnerability resides within the /model/user/resetPassword.php file. Specifically, an unidentified function within this file is susceptible to manipulation that results in a weak password recovery process. The publicly available exploit allows attackers to bypass security measures and potentially set a predictable or easily guessable password for a target user. The lack of proper…
-
Overview CVE-2025-13564 identifies a medium-severity denial-of-service (DoS) vulnerability in SourceCodester Pre-School Management System version 1.0. This flaw allows a remote attacker to trigger a DoS condition by manipulating the filepath argument within the removefile function of the app/controllers/FilehelperController.php file. Exploit code is publicly available, increasing the risk of active exploitation. Technical Details The vulnerability resides within the removefile function of the FilehelperController.php script. Specifically, the application lacks sufficient validation and sanitization of the filepath argument before attempting file operations. By crafting a malicious filepath value, an attacker can potentially trigger an error condition or resource exhaustion, leading to a denial…
-
Overview CVE-2025-54515 describes a security vulnerability found within the Arm Trusted Firmware for Cortex-A processors (TF-A) used in Versal™ Adaptive SoCs. The issue stems from an incorrect configuration of the Secure Flag passed to the TF-A for Arm’s Power State Coordination Interface (PSCI) commands. This flaw could potentially allow PSCI requests originating from the non-secure state to be misinterpreted as originating from the secure state. Technical Details The vulnerability lies in the way the Secure Flag is handled when invoking PSCI commands. Instead of accurately reflecting the security state of the processor initiating the request (secure or non-secure), the flag…
-
Overview CVE-2025-13562 is a high-severity command injection vulnerability affecting D-Link DIR-852 routers with firmware version 1.00. This flaw allows remote attackers to execute arbitrary commands on the router by manipulating the service argument in a request to the /gena.cgi endpoint. Because the device is no longer supported, a patch is not expected. This vulnerability has a public exploit available, making it a significant risk for vulnerable devices still in use. Given the end-of-life status of these devices, immediate action is required to mitigate potential exploits. Technical Details The vulnerability stems from insufficient input validation when processing the service argument in…