Full Disclosure

Posted by Usman Saeed via Fulldisclosure on Aug 18#!/usr/bin/env python3 “”” Adaptive Multi-Protocol Traceroute Author: Usman Saeed email: u () defzero net<mailto:u () defzero net> Website: www.defzero.net<http://www.defzero.net> Description: This script is a TTL-based path mapper that reveals routes even when classic traceroute is filtered. The idea was that it would run in passes: first a conventional trace (ICMP Echo and rotating TCP SYN ports) to capture the…

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Aug 18Confidentiality class: Internal & Partner SEC Consult Vulnerability Lab Security Advisory < publishing date 20250728-0 > ======================================================================= title: Multiple Stored Cross-Site Scripting Vulnerabilities product: Optimizely Episerver Content Management System (EPiServer.CMS.Core) vulnerable version: Version 11.X: <11.21.4 Version 12.X:…

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Aug 18Confidentiality class: Internal & Partner SEC Consult Vulnerability Lab Security Advisory < publishing date 20250807-0 > ======================================================================= title: Race Condition in Shopware Voucher Submission product: Shopware 6 vulnerable version: v6.6.10.4 fixed version: No fixed version available yet CVE number: CVE-2025-7954 impact: medium…

Posted by Ron E on Aug 18nopCommerce is vulnerable to Insufficient Resource Allocation Limits when handling large Excel file imports. Although the application provides a warning message recommending that users avoid importing more than 500–1,000 records at once due to memory constraints, the system does not enforce hard limits on file size, record count, or concurrent imports. An attacker can exploit this by uploading excessively large Excel files or automating…

Posted by Ron E on Aug 18nopCommerce versions v4.10 and v4.80.3 are vulnerable to *C*SV Injection (Formula Injection) when exporting data to CSV. The application does not properly sanitize user-supplied input before including it in CSV export files. An attacker can inject malicious spreadsheet formulas into fields that will later be exported (for example, order details, product names, or customer information). When the exported file is opened in spreadsheet software…

Posted by Ron E on Aug 18nopCommerce v4.10 and 4.80.3 is vulnerable to Insufficient Invalidation of Session Cookies. The application does not properly invalidate or expire authentication cookies after logout or session termination. An attacker who obtains a valid session cookie (e.g., via network interception, XSS, or system compromise) can continue to use the cookie to access privileged endpoints (such as /Admin) even after the legitimate user has logged out. This flaw…

Posted by Ron E on Aug 18The application does not issue a new session identifier (JSESSIONID) after successful authentication. An attacker who can set or predict a victim’s session ID prior to login may hijack the victim’s authenticated session once they log in, resulting in full account takeover. POST /webui HTTP/2 Host: <host> Cookie: JSESSIONID=node01***.node0;

Posted by Ron E on Aug 18A CSV Injection vulnerability exists in iDempiere WebUI v12.0.0.202508171158. The application fails to properly sanitize user-supplied input before including it in exported CSV files. An authenticated attacker can inject malicious spreadsheet formulas (e.g., =cmd|’/C notepad’!A1) into fields that are later exported. When the CSV is opened in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the injected formula is…

Posted by Ron E on Aug 18lcf2xml (part of liblcf) aborts when parsing specially crafted RPG Maker 2000/2003 files that supply a negative element count for vectors of structured records. The generic reader: template <class S> void Struct<S>::ReadLcf(std::vector<S>& vec, LcfReader& stream) { int count = stream.ReadInt(); vec.resize(count); // <— negative -> huge size_t -> throws length_error for (int i = 0; i…

Posted by Ron E on Aug 18A crafted RPG Maker save file (`.lsd`) can trigger an integer overflow in liblcf’s lcfstrings compressed integer decoding logic (`LcfReader::ReadInt()`), resulting in an unbounded shift and accumulation loop. The overflowed value is later used in buffer size allocations and structure parsing, causing large memory access requests and parsing errors. *Steps to Reproduce* 1. Use the attached `.lsd` file (see PoC section). 2. Run: `./lcfstrings…

Posted by Georg Lukas on Aug 18<PDF advisory: https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_TFTP_en.pdf > Classification ————– – CWE-306: Missing Authentication for Critical Function – CWE-940: Improper Verification of Source of a Communication Channel – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor – CVSS 4.0 Score: 8.4 / High CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:N/SA:H – CVSS 3.1 Score: 8.3…

Posted by Georg Lukas on Aug 18PDF advisory: https://rt-solutions.de/piciorgros/Piciorgros_TMO-100_IP-Logger_en.pdf Classification ————– – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor – CVSS 4.0 Score: 5.3 / Medium CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N – CVSS 3.1 Score: 4.3 / Medium CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected systems —————- – Piciorgros TMO-100 V3/V4 with software version…

Posted by Jozef Sudolsky on Aug 18Dear community, I’d like to share a small tool I’ve recently released – CRSprober. This utility is designed to remotely detect the version of the OWASP CRS as well as the configured paranoia level on a target protected by ModSecurity + CRS. It works by sending specific payloads and analyzing the WAF’s responses to determine this information. This can be useful for testing, research, or verification purposes, especially when…

Posted by josephgoyd via Fulldisclosure on Aug 18TITLE: Undocumented TCC Access to Multiple Privacy Domains via ‘preflight=yes’ in iOS 18.6 AUTHOR: Joseph Goydish II DISCOVERY DATE: 2025-08-13 DEVICE: iPhone 14 Pro Max OS VERSION: iOS 18.6 (non-jailbroken, stock) SEVERITY: High ACCESS: USB debugging or local log access IMPACT: Silent, undocumented system access to sensitive user data across multiple TCC domains…

Posted by Security Explorations on Aug 12Dear All, On Jul 28, 2025 we provided Kigen with a report describing new security issue potentially affecting company’s eUICC cards. We did it regardless of Kigen refusal to provide us with patches / patching instructions, so that we could verify the content / quality of the fixes released by the company for previously reported JavaCard issues [1] (more on that and patching formula proposed by the company can be found on eSIM project…