Overview CVE-2025-13277 is a high-severity SQL injection vulnerability discovered in Nero Social Networking Site version 1.0. This flaw allows remote attackers to execute arbitrary SQL commands, potentially leading to data breaches, unauthorized access, and complete compromise of the affected system. The vulnerability resides in the /friendsphoto.php file and is triggered by manipulating the ID argument. This vulnerability has been published and proof-of-concept exploit code is available, increasing the likelihood of exploitation in the wild. Users of Nero Social Networking Site 1.0 are strongly advised to take immediate action to mitigate this risk. Technical Details The vulnerability stems from insufficient input…
-
-
Overview CVE-2025-11681 is a security vulnerability affecting M-Files Server versions prior to 25.11.15392.1. This vulnerability allows an authenticated user to trigger a denial-of-service (DoS) condition by causing the core MFserver process to crash. While the CVSS score is currently unavailable, the potential impact on system availability necessitates immediate attention. Technical Details The specific technical details leading to the MFserver process crash are not fully disclosed in the initial advisory. However, the vulnerability stems from a flaw in how the M-Files Server handles certain inputs or requests from authenticated users. Exploitation of this vulnerability requires a valid user account within the…
-
Overview CVE-2025-13276 describes a critical SQL Injection vulnerability found in the g33kyrash Online-Banking-System. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating the Username argument in the /index.php file. The exploit is publicly available, increasing the risk of exploitation. Technical Details The vulnerability resides within the /index.php file of the g33kyrash Online-Banking-System. By crafting a malicious payload within the Username parameter of a request to this file, an attacker can inject arbitrary SQL code into the database query. This can lead to the disclosure of sensitive information, modification of data, or even complete compromise of the…
-
Overview CVE-2025-13275 identifies a medium-severity security vulnerability affecting Iqbolshoh php-business-website up to version 10677743a8dfc281f85291a27cf63a0bce043c24. This vulnerability allows for unrestricted file uploads, potentially leading to remote code execution and other malicious activities. Technical Details The vulnerability exists within the /admin/about.php file of the affected software. An attacker can exploit this flaw by uploading arbitrary files without proper validation, bypassing security measures intended to restrict file types and sizes. The lack of input sanitization on uploaded files allows an attacker to upload executable files (e.g., PHP, .exe) that can then be accessed and executed by the web server, potentially compromising the entire…
-
Overview A medium severity SQL injection vulnerability, identified as CVE-2025-13251, has been discovered in WeiYe-Jing datax-web up to version 2.1.2. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating specific input parameters. The exploit is publicly available, posing a significant risk to systems running vulnerable versions of datax-web. Technical Details The vulnerability resides in an unspecified function within datax-web. By crafting malicious SQL injection payloads, an attacker can potentially bypass authentication, access sensitive data, modify database contents, or even execute arbitrary code on the underlying database server. The specific attack vector involves manipulating user-supplied input that…
-
Overview A medium-severity security vulnerability, identified as CVE-2025-13250, has been discovered in WeiYe-Jing datax-web versions up to 2.1.2. This vulnerability allows remote attackers to bypass access controls, potentially leading to unauthorized manipulation of data integration jobs. The exploit is publicly available, increasing the risk of exploitation. Technical Details The vulnerability resides within the Job Handler component of datax-web. Specifically, the remove, update, pause, start, and triggerJob functions are affected. An attacker can exploit this vulnerability by manipulating requests to these functions, circumventing the intended access controls. This allows them to perform actions on jobs they are not authorized to manage.…
-
Overview A security vulnerability, identified as CVE-2025-13249, has been discovered in Jiusi OA, specifically in versions up to 20251102. This medium severity vulnerability allows for unrestricted file uploads due to improper handling of the FileData argument within the /OfficeServer?isAjaxDownloadTemplate=false endpoint. This vulnerability can be exploited remotely, and a public exploit is already available. Technical Details The vulnerability resides in the OfficeServer Interface component of Jiusi OA. By manipulating the FileData argument in requests to the /OfficeServer?isAjaxDownloadTemplate=false endpoint, an attacker can upload arbitrary files to the server. The lack of proper validation and sanitization of the uploaded file content and type…
-
Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13248, has been discovered in SourceCodester’s Patients Waiting Area Queue Management System version 1.0. This flaw allows a remote attacker to execute arbitrary SQL commands, potentially compromising sensitive patient data and system integrity. The vulnerability has been publicly disclosed, increasing the risk of exploitation. Technical Details The vulnerability resides in the /php/api_patient_schedule.php file within the application. Specifically, the appointmentID parameter is susceptible to SQL injection. By manipulating this parameter, an attacker can inject malicious SQL code into the database query, potentially allowing them to: Read sensitive data, including patient information, appointments, and…
-
Overview A significant security vulnerability, identified as CVE-2025-13247, has been discovered in PHPGurukul Tourism Management System version 1.0. This vulnerability is a SQL Injection flaw affecting the /admin/user-bookings.php file. Specifically, the uid argument is susceptible to malicious manipulation, allowing attackers to execute arbitrary SQL commands. This vulnerability can be exploited remotely, and proof-of-concept exploits are publicly available, increasing the risk of active exploitation. Technical Details The vulnerability resides in the /admin/user-bookings.php file within the PHPGurukul Tourism Management System 1.0. The application fails to properly sanitize or validate user-supplied input provided through the uid parameter when querying the database. This lack…
-
Overview CVE-2025-13246 is a medium-severity path traversal vulnerability discovered in shsuishang’s ShopSuite ModulithShop. This vulnerability allows a remote attacker to potentially access sensitive files or directories on the server. The affected component resides within the JwtAuthenticationFilter class, posing a significant risk to the application’s security. Technical Details The vulnerability exists within the JwtAuthenticationFilter function located in the src/main/java/com/suisung/shopsuite/common/security/JwtAuthenticationFilter.java file of the ShopSuite ModulithShop application. By manipulating the input to this function, an attacker can bypass intended security checks and access files or directories outside of the permitted scope. The vulnerability has been confirmed in versions up to commit 45a99398cec3b7ad7ff9383694f0b53339f2d35a. A…