Overview CVE-2025-13224 is a high-severity vulnerability affecting Google Chrome’s V8 JavaScript engine. This vulnerability, identified as a type confusion issue, could allow a remote attacker to potentially exploit heap corruption through a specially crafted HTML page. The vulnerability was patched in Chrome version 142.0.7444.175. Technical Details The vulnerability stems from a type confusion error within the V8 JavaScript engine. This occurs when the engine incorrectly infers the type of an object, leading to incorrect memory access and potential heap corruption. An attacker can leverage this by crafting a malicious HTML page that triggers the type confusion error during JavaScript execution.…
-
-
Overview CVE-2025-13223 is a high-severity vulnerability affecting Google Chrome’s V8 JavaScript engine. Discovered and patched in version 142.0.7444.175, this type confusion flaw could allow a remote attacker to potentially trigger heap corruption by crafting a malicious HTML page. Successful exploitation could lead to arbitrary code execution or denial-of-service. Technical Details The vulnerability stems from a type confusion error within the V8 JavaScript engine. Type confusion occurs when the engine misinterprets the type of data being processed. In the context of CVE-2025-13223, this allows an attacker to manipulate the memory layout and potentially corrupt the heap. A specially crafted HTML page…
-
Overview CVE-2025-64766 is a medium severity security vulnerability affecting the OnlyOffice document server when deployed on NixOS. This vulnerability stems from the use of a hard-coded secret in the NixOS module used to protect the file cache of OnlyOffice. This hardcoded secret could potentially allow an attacker with knowledge of a revision ID to access documents, even after a user’s access has expired. The issue has been resolved in NixOS unstable version 25.11 and version 25.05. Technical Details The NixOS module for OnlyOffice’s document server employs a secret key to secure its file cache. Versions 22.11 to before 25.05, and…
-
Overview CVE-2025-13303 is a medium-severity SQL injection vulnerability affecting Courier Management System version 1.0. This vulnerability allows a remote attacker to inject malicious SQL code through the “Consignment” argument in the /search-edit.php file. Successful exploitation of this vulnerability could allow an attacker to read, modify, or delete sensitive data within the application’s database. This vulnerability has been publicly disclosed, and proof-of-concept (PoC) exploits are available, increasing the risk of exploitation. Technical Details The vulnerability resides within the /search-edit.php file of the Courier Management System 1.0. The application fails to properly sanitize user-supplied input passed through the “Consignment” parameter before using…
-
Overview CVE-2025-13302 identifies a SQL injection vulnerability within Courier Management System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL queries by manipulating the ManagerName argument in the /add-new-officer.php file. The public availability of an exploit makes this a significant security concern. Technical Details The vulnerability resides in the /add-new-officer.php script. Specifically, the code that handles the ManagerName parameter fails to properly sanitize user input before incorporating it into a SQL query. This lack of sanitization allows an attacker to inject malicious SQL code, potentially compromising the database and the entire application. Attackers can exploit this flaw…
-
Overview CVE-2025-36118 is a high-severity vulnerability affecting IBM Storage Virtualize versions 8.4, 8.5, 8.7, and 9.1. This flaw allows remote attackers to potentially obtain sensitive information from device memory through a specifically crafted Security Association (SA) negotiation request within the IKEv1 protocol. Successful exploitation of this vulnerability could expose sensitive data, impacting the confidentiality of the affected storage systems. Technical Details The vulnerability lies in the implementation of IKEv1 (Internet Key Exchange version 1) within IBM Storage Virtualize. The flaw is triggered during the Security Association (SA) negotiation process. A remote attacker can send a malicious SA negotiation request that,…
-
Overview CVE-2025-13301 identifies a high-severity SQL injection vulnerability found in itsourcecode Web-Based Internet Laboratory Management System version 1.0. This vulnerability allows a remote attacker to potentially execute arbitrary SQL commands on the underlying database, leading to data breaches, system compromise, and other malicious activities. The vulnerability resides within the /subject/controller.php file and affects an unspecified functionality. A proof-of-concept exploit is publicly available, increasing the urgency for administrators to apply the necessary mitigation steps. Technical Details The vulnerability exists due to improper sanitization of user-supplied input within the /subject/controller.php file. An attacker can inject malicious SQL code into parameters that are…
-
Overview A critical SQL injection vulnerability, identified as CVE-2025-13300, has been discovered in itsourcecode Web-Based Internet Laboratory Management System version 1.0. This vulnerability allows remote attackers to execute arbitrary SQL commands, potentially leading to data breaches, system compromise, and other severe consequences. The exploit is publicly available, increasing the urgency of applying mitigations. Technical Details The vulnerability resides in the /settings/controller.php file. An unknown function within this file is susceptible to SQL injection. By manipulating specific input parameters, a remote attacker can inject malicious SQL code that will be executed by the application’s database server. This can allow the attacker…
-
Overview A critical directory traversal vulnerability, identified as CVE-2025-36357, has been discovered in IBM Planning Analytics Local versions 2.1.0 through 2.1.14. This vulnerability allows a remote, authenticated attacker to potentially read, write, or view arbitrary files on the affected system by crafting a malicious URL request. This poses a significant risk to the confidentiality, integrity, and availability of sensitive data. Technical Details CVE-2025-36357 is a directory traversal vulnerability. It arises due to insufficient input validation on user-supplied data within the application. An attacker can exploit this by injecting “../” sequences (or similar directory traversal characters) into a URL request. This…
-
Overview CVE-2025-36299 describes a medium-severity vulnerability affecting IBM Planning Analytics Local versions 2.1.0 through 2.1.14. This vulnerability stems from the storage of sensitive information within the application’s source code. An attacker who gains access to this source code could potentially extract this information and leverage it for further malicious activities against the system. Technical Details The vulnerability exists due to the inadvertent inclusion of sensitive data, such as API keys, passwords, or internal system configurations, directly within the source code of IBM Planning Analytics Local. While the exact nature of the exposed data isn’t publicly detailed beyond “sensitive information,” its…