Aggregator

A vulnerability classified as critical has been found in Discourse up to 3.4.3/3.5.0.beta4/3.5.0.beta5-dev. Affected is the function allowed_iframes of the component Setting Handler. The manipulation leads to insecure automated optimizations. This vulnerability is traded as CVE-2025-48877. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in GIMP. Affected is the function ani_load_image of the component ANI File Parser. The manipulation leads to stack-based buffer overflow. This vulnerability is traded as CVE-2025-48796. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in WuKongOpenSource WukongCRM 9.0. This affects an unknown part of the file AdminSysConfigController.java of the component File Upload. The manipulation of the argument File leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-5879. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 6.15.0. Affected by this issue is some unknown functionality of the component net_sched. The manipulation of the argument cl_nactive leads to infinite loop. This vulnerability is handled as CVE-2025-38001. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

450 млн параметров и ни одного GPU в обмороке.

Alleged admin access sale to multiple FinTech Companies in South America

A vulnerability classified as problematic was found in WPWeb WooCommerce Social Login Plugin up to 2.8.2 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. This vulnerability was named CVE-2025-39472. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in Discourse up to 3.4.3/3.5.0.beta4/3.5.0.beta5-dev. Affected is the function topic_title of the component Email Body Handler. The manipulation leads to basic cross site scripting. This vulnerability is traded as CVE-2025-48062. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in labring FastGPT up to 4.9.10. It has been declared as critical. This vulnerability affects unknown code of the component Python Module. The manipulation leads to incorrect permission assignment. This vulnerability was named CVE-2025-49131. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Tenda CP3 11.10.00.2311090948 and classified as critical. Affected by this vulnerability is the function sub_F3C8C of the file apollo. The manipulation leads to command injection. This vulnerability is known as CVE-2025-5763. The attack can be launched remotely. Furthermore, there is an exploit available.

A vulnerability has been found in Red Hat Keycloak and Single Sign-On and classified as critical. This vulnerability affects unknown code of the component Verification Policy. The manipulation leads to certificate with host mismatch. This vulnerability was named CVE-2025-3501. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Discourse up to 3.4.3/3.5.0.beta4/3.5.0.beta5-dev. This issue affects some unknown processing. The manipulation leads to resource consumption. The identification of this vulnerability is CVE-2025-48053. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. This vulnerability is uniquely identified as CVE-2025-5732. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability has been found in TOTOLINK X15 1.0.0-B20230714.1105 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWlanRedirect of the component HTTP POST Request Handler. The manipulation of the argument redirect-url leads to buffer overflow. This vulnerability was named CVE-2025-5734. The attack can be initiated remotely. Furthermore, there is an exploit available.

Authors/Presenters: Matteo Rizzo, Kristoffer `spq` Janke, Eduardo Vela Nava and Josh Eads

Our sincere appreciation to OffensiveCon by Binary Gecko, and the Presenters/Authors for publishing their outstanding OffensiveCon 2025 video content. Originating from the conference’s events located at the Hilton Berlin; and via the organizations YouTube channel.

Thanks and a Tip O' The Hat to Verification Labs :: Penetration Testing Specialists :: Trey Blalock GCTI, GWAPT, GCFA, GPEN, GPCS, GCPN, CRISC, CISA, CISM, CISSP, SSCP, CDPSE for recommending the OffensiveCon 25 conference.

Permalink

The post OffensiveCon25 – Entrysign: Create Your Own x86 Microcode for Fun and Profit appeared first on Security Boulevard.

New PathWiper malware targeted Ukrainian critical infrastructure, using legitimate tools for cyber-attacks

Unit 221B’s Allison Nixon said crackdowns have effectively shown the group that their actions carry real consequences.

The post Internet infamy drives The Com’s crime sprees appeared first on CyberScoop.

Google has highlighted a significant uptick in cyberattacks and scams targeting US consumers, with a particular focus on stealing login credentials. The FBI reports that online scams generated a staggering $16.6 billion in losses last year, reflecting a 33% increase over the previous year. Over 60% of Americans have perceived a rise in scam attempts […]

The post Google Warns of Surge in Cyberattacks Targeting US Users to Steal Login Credentials appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A vulnerability was found in Fortinet FortiOS up to 7.4.2. It has been declared as very critical. This vulnerability affects unknown code of the component SSL-VPN. The manipulation leads to out-of-bounds write. This vulnerability was named CVE-2024-21762. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.