Overview CVE-2025-63892 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in SourceCodester Student Grades Management System version 1.0. This medium severity vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. The vulnerability resides in the create_classroom function within the /classroom.php file. Technical Details The vulnerability is caused by insufficient input sanitization within the create_classroom function. Specifically, when creating a new classroom, the name and description parameters are not properly sanitized before being stored in the database. An attacker can exploit this by injecting malicious JavaScript code into either of these fields.…
-
-
Overview This article details CVE-2025-63883, a DOM-based Cross-Site Scripting (XSS) vulnerability discovered in electic-shop v1.0 (Bhabishya-123/E-commerce). This vulnerability allows attackers to inject malicious JavaScript code into a victim’s browser through a crafted URL, potentially leading to data theft, session hijacking, or other malicious activities. Technical Details The vulnerability stems from the application’s failure to properly sanitize or encode user-controlled input before inserting it into the Document Object Model (DOM). Specifically, the client-side JavaScript code within electic-shop v1.0 reads attacker-controlled input – often from the URL or page fragment (the part after the #) – and uses this input directly in…
-
Overview A critical security flaw has been discovered in Windu CMS, tracked as CVE-2025-59117. This vulnerability stems from multiple Stored Cross-Site Scripting (XSS) issues within the page editing endpoint (windu/admin/content/pages/edit/). An attacker with privileged access can exploit these vulnerabilities to inject malicious scripts into the system, potentially targeting users with higher privileges. This blog post provides a detailed analysis of CVE-2025-59117, including technical details, potential impact, and mitigation strategies. Technical Details The vulnerability exists due to insufficient input sanitization and output encoding within the Windu CMS page editing endpoint. A privileged user can inject malicious JavaScript code into fields such…
-
Overview A user enumeration vulnerability has been identified in Windu CMS, tracked as CVE-2025-59116. This flaw allows attackers to determine the validity of usernames during the login process. By observing subtle differences in error messages, an attacker can distinguish between valid and invalid login attempts, making the system susceptible to brute-force attacks against legitimate user accounts. The vendor was notified about this issue but did not respond with details of the vulnerability or the vulnerable version range. Version 4.1 has been confirmed as vulnerable. Other versions were not tested and may also be affected. Technical Details The vulnerability stems from…
-
Overview CVE-2025-59115 identifies a Stored Cross-Site Scripting (XSS) vulnerability within the Windu CMS platform. Specifically, this vulnerability resides within the logon page, where input data lacks proper validation. A malicious actor can exploit this weakness to inject arbitrary HTML and JavaScript code into the website. This injected code is then rendered and executed whenever an administrator visits the logs page, potentially leading to account compromise, data theft, or other malicious activities. The vendor was notified about this vulnerability but has not yet provided details regarding affected version ranges or a patch. Version 4.1 has been tested and confirmed as vulnerable.…
-
Overview A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Windu CMS. Specifically, the file uploading functionality in version 4.1 is susceptible to this attack. CVE-2025-59114 has been assigned to track this issue. An attacker can exploit this flaw by crafting a malicious website that, when visited by an authenticated Windu CMS user, will automatically trigger the upload of a malicious file to the server. While only version 4.1 has been tested and confirmed as vulnerable, other versions may also be affected. Technical Details The vulnerability stems from a lack of sufficient CSRF protection in the Windu CMS file…
-
Overview CVE-2025-59113 describes a security vulnerability in Windu CMS related to weak client-side brute-force protection. Specifically, the CMS relies on the loginError parameter to implement brute-force protection, but it does not store attempt counts or timeout information on the server. This allows an attacker to easily bypass the protection mechanism. This vulnerability was reported and assigned CVE-2025-59113 on November 18, 2025. It’s important to note that while version 4.1 was tested and confirmed as vulnerable, other versions have not been assessed and may also be susceptible to the same issue. The vendor, Windu, was notified about this vulnerability but has…
-
Overview A critical Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-59112, has been discovered in Windu CMS. This vulnerability allows a malicious attacker to craft a specially designed website that, when visited by an authenticated Windu CMS user, can silently trigger the deletion of a specified user account without the user’s knowledge or consent. This could lead to significant disruption of service and unauthorized access. While the vendor was notified, there has been no public response regarding vulnerable versions or planned fixes. Our testing has confirmed the vulnerability exists in version 4.1. Other versions may also be affected but remain…
-
Overview A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in Windu CMS, identified as CVE-2025-59110. This vulnerability resides within the user editing functionality of the CMS. The implemented CSRF protection can be bypassed by leveraging a CSRF token belonging to another user. Given that Windu CMS allows open registration, this issue poses a significant risk. Technical Details The vulnerability lies in the inadequate validation of the CSRF token during user editing actions. Specifically, the system fails to verify that the submitted CSRF token belongs to the currently authenticated user performing the action. An attacker can exploit this by: Creating…
-
Overview CVE-2025-55179 is a medium severity vulnerability affecting WhatsApp for iOS, WhatsApp Business for iOS, and WhatsApp for Mac. This flaw stems from incomplete validation of rich response messages, potentially allowing a malicious user to trigger processing of media content from an arbitrary URL on another user’s device. Fortunately, there is no known evidence of in-the-wild exploitation. This article provides a detailed analysis of CVE-2025-55179, including its technical details, potential impact, and recommended mitigation steps. Technical Details The vulnerability resides in how WhatsApp handles rich response messages. Specifically, the inadequate validation of URLs within these messages could allow an attacker…