Overview CVE-2024-44658 identifies a significant security vulnerability affecting PHPGurukul Complaint Management System version 2.0. This vulnerability is classified as a SQL Injection flaw, specifically present within the subcategory.php file. Successful exploitation of this vulnerability could allow attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or even complete compromise of the system. Technical Details The SQL Injection vulnerability resides in the subcategory.php file of PHPGurukul Complaint Management System 2.0. The application fails to properly sanitize user-supplied input passed through the subcategory and category parameters. An attacker can inject malicious SQL code into these parameters, which is then…

Overview CVE-2024-44655 identifies a Cross-Site Scripting (XSS) vulnerability found in PHPGurukul Complaint Management System version 2.0. This flaw allows attackers to inject malicious scripts into the application via the ‘search’ parameter within the user-search.php file. Successfully exploiting this vulnerability could lead to session hijacking, defacement of the website, or redirection of users to malicious sites. Technical Details The vulnerability resides in the user-search.php page of the PHPGurukul Complaint Management System 2.0. The application fails to properly sanitize or encode user-supplied input in the ‘search’ parameter before rendering it in the HTML output. This allows an attacker to inject arbitrary JavaScript…

Overview A critical SQL Injection vulnerability has been identified in PHPGurukul Complaint Management System version 2.0. This vulnerability, tracked as CVE-2024-44654, allows attackers to potentially execute arbitrary SQL queries on the system’s database, potentially leading to data breaches, unauthorized access, and complete system compromise. The vulnerability is located in the `reset-password.php` file, specifically within the `email` and `mobileno` parameters. Technical Details The `reset-password.php` script in PHPGurukul Complaint Management System 2.0 is susceptible to SQL injection because it fails to properly sanitize user-supplied input before using it in database queries. An attacker can craft malicious SQL queries embedded within the `email`…

Overview CVE-2025-64758 is a medium-severity Cross-Site Scripting (XSS) vulnerability affecting Dependency-Track, an open-source Component Analysis platform. Specifically, versions of @dependencytrack/frontend prior to 4.13.6 are vulnerable. This vulnerability allows users with the `SYSTEM_CONFIGURATION` permission (typically administrators) to inject arbitrary JavaScript code into the login page through the welcome message feature. Technical Details Dependency-Track’s frontend allows administrators to configure a custom “welcome message” on the login page. This message is intended for branding purposes and accepts HTML input. However, versions before 4.13.6 failed to properly sanitize this HTML input. An attacker with `SYSTEM_CONFIGURATION` permission can inject malicious JavaScript code within HTML tags.…

Overview A high-severity command injection vulnerability, identified as CVE-2025-64756, has been discovered in the glob CLI tool. This vulnerability affects versions 10.3.7 through 11.0.3. Specifically, the vulnerability resides within the -c or --cmd option, allowing for arbitrary command execution when processing files with maliciously crafted names. This could lead to significant security risks, including complete system compromise. Technical Details The glob CLI tool is used for matching files based on shell-like patterns. When the -c or --cmd option is used in conjunction with these patterns (e.g., glob -c <command> <patterns>), the matched filenames are passed to a shell for execution.…

Overview CVE-2025-64342 describes a vulnerability found in Espressif’s ESP-IDF (Espressif Internet of Things Development Framework). This issue can cause Bluetooth advertising to stop unexpectedly when the ESP32 receives a connection request with an invalid Access Address (AA) while in advertising mode. This can lead to a denial-of-service condition and potentially disrupt the intended functionality of the IoT device. Technical Details The vulnerability occurs when the ESP32, running ESP-IDF, is in Bluetooth advertising mode. If it receives a connection request containing an invalid Access Address (AA) of either 0x00000000 or 0xFFFFFFFF, the advertising process may terminate prematurely. The underlying issue causes…

Overview CVE-2025-58407 is a high-severity vulnerability affecting kernel or driver software installed on Guest Virtual Machines (VMs). This flaw allows a malicious guest VM to potentially escape its isolation by exploiting a Time-of-Check Time-of-Use (TOCTOU) race condition within the GPU firmware interaction. Successfully exploiting this vulnerability can lead to unauthorized read and/or write operations outside the VM’s allocated memory space, effectively escaping the virtual machine environment. Technical Details The vulnerability arises from a race condition that occurs when a guest VM interacts with the host’s GPU firmware. The guest can send commands to the GPU firmware. If not properly validated…

Overview CVE-2025-55059 is a reported vulnerability concerning Cross-Site Scripting (XSS), specifically categorized as CWE-79: Improper Neutralization of Input During Web Page Generation. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, defacement, or the theft of sensitive information. Technical Details The vulnerability stems from insufficient sanitization or encoding of user-supplied input that is subsequently displayed within a web page. An attacker can exploit this by crafting malicious input (e.g., containing JavaScript code) and submitting it through a vulnerable form field, URL parameter, or other input vector. When the…

Overview CVE-2025-55058 is a security vulnerability identified as an Improper Input Validation (CWE-20) flaw. This weakness can allow attackers to potentially manipulate applications or systems by providing malformed or unexpected input. Failing to properly validate user-supplied data can lead to a variety of exploits, including code injection, denial-of-service (DoS), and data corruption. This vulnerability was published on 2025-11-17T18:15:57.543. Technical Details The core of this vulnerability lies in the insufficient validation of data received by the affected application. Specifically, the application fails to adequately sanitize or verify the format, type, or range of input before processing it. This lack of validation…

Overview CVE-2025-55057 describes a medium-severity vulnerability affecting web applications susceptible to Cross-Site Request Forgery (CSRF). This vulnerability allows an attacker to trick a user into performing actions on a web application without their knowledge or consent. By exploiting this weakness, malicious actors can potentially modify user data, change account settings, or perform other unauthorized actions, depending on the application’s functionality. Published on 2025-11-17T18:15:57.390, it’s crucial to understand the details of this vulnerability and implement appropriate mitigation strategies to protect your web applications. Technical Details This CSRF vulnerability (CWE-352) arises because the web application does not properly validate the origin of…