Aggregator

A vulnerability marked as critical has been reported in ChanCMS up to 3.3.1. Impacted is an unknown function of the file /search/. The manipulation with the input '%20or%201=1%20%23/words.html leads to sql injection. This vulnerability is referenced as CVE-2025-10110. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability described as critical has been identified in itsourcecode Student Information Management System 1.0. The affected element is an unknown function of the file /admin/modules/instructor/index.php. The manipulation of the argument ID results in sql injection. This vulnerability is identified as CVE-2025-10111. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability classified as critical has been found in itsourcecode Student Information Management System 1.0. The impacted element is an unknown function of the file /admin/modules/department/index.php. This manipulation of the argument ID causes sql injection. This vulnerability is tracked as CVE-2025-10112. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability classified as critical was found in itsourcecode Student Information Management System 1.0. This affects an unknown function of the file /admin/modules/room/index.php. Such manipulation of the argument ID leads to sql injection. This vulnerability is listed as CVE-2025-10113. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability was found in PHPGurukul Small CRM 4.0 and classified as critical. Affected by this issue is some unknown functionality of the file /profile.php. The manipulation of the argument Name results in sql injection. This vulnerability is reported as CVE-2025-10114. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability was found in SiempreCMS up to 1.3.6. It has been classified as critical. This affects an unknown part of the file user_search_ajax.php. This manipulation of the argument name/userName causes sql injection. This vulnerability appears as CVE-2025-10115. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability was found in SiempreCMS up to 1.3.6. It has been declared as critical. This vulnerability affects unknown code of the file /docs/admin/file_upload.php. Such manipulation leads to unrestricted upload. This vulnerability is traded as CVE-2025-10116. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability categorized as problematic has been discovered in SourceCodester Simple To-Do List System 1.0. Impacted is an unknown function of the file /fetch_tasks.php of the component Add New Task. Executing manipulation with the input <script>alert('XSS')</script> can lead to cross site scripting. This vulnerability is handled as CVE-2025-10117. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability identified as critical has been detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0. The affected element is an unknown function of the file /login.php. The manipulation of the argument Username leads to sql injection. This vulnerability is uniquely identified as CVE-2025-10118. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability labeled as critical has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function strcpy of the file /goform/GetParentControlInfo. The manipulation of the argument mac results in buffer overflow. This vulnerability was named CVE-2025-10120. The attack may be performed from remote. In addition, an exploit is available.

Venezuelan President Nicolás Maduro made bold claims about cybersecurity during a press conference on September 1, 2025, as he showcased a Huawei smartphone gifted to him by Chinese President Xi Jinping. Holding up the device before international media in Caracas, Maduro declared it “the best phone in the world” and asserted that “the Americans can’t […]

The post Maduro Hails Huawei Mate X6 Gift From China as ‘Unhackable’ by U.S. appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Railway systems are the lifeblood of many economies, supporting everything from daily passenger transport to military and industrial operations, so the question arises: how secure are they from a cybersecurity perspective? Like all industries, the railway industry is undergoing its digital transformation. New technologies have improved safety and operational control over trains and tracks, but they have also introduced risks of sabotage that could lead to serious incidents, including collisions. A low-cost hack could bring … More →

The post Attackers test the limits of railway cybersecurity appeared first on Help Net Security.

Два космических аппарата против 500-тонного астероида.

A vulnerability classified as critical was found in MP4v2 2.0.0. This issue affects the function MP4StringProperty of the file mp4property.cpp. The manipulation results in double free. This vulnerability is reported as CVE-2018-14054. The attack can be launched remotely. No exploit exists.

A vulnerability was found in libmp4v2 2.1.0. It has been rated as critical. This affects the function mp4v2::impl::MP4Track::FinishSdtp of the file mp4track.cpp of the component MP4 File Handler. The manipulation leads to out-of-bounds read. This vulnerability is listed as CVE-2018-17235. The attack may be initiated remotely. There is no available exploit.

断链劫持指攻击者利用网站失效链接（如过期域名、停用社交媒体账号）获取控制权，用于篡改网站内容、钓鱼攻击或注入恶意脚本。检测时可点击链接查看是否返回404错误。

作者Swetha分享了自己进入开发、道德黑客和漏洞赏金领域的经历，并强调深入理解SQL的重要性。

AspGoat 是一个基于 ASP.NET Core 的故意漏洞 Web 应用程序，旨在帮助开发者、安全研究员和赏金猎人提升技能。它包含 OWASP Top 10 及其他漏洞的练习，并支持 Docker 快速部署。

文章探讨了包含消息体的GET请求如何导致Web缓存中毒。攻击者利用服务器对这类请求的处理漏洞，在缓存中注入恶意内容，引发跨站脚本（XSS）和基于缓存的攻击。

一位安全研究人员在浏览Freshdesk支持页面时发现了一个DOM-XSS漏洞。通过查看页面源代码，他发现一个脚本直接将API返回的tunnel.host和tunnel.ip拼接到DOM中，存在XSS风险。虽然未造成实际损害，但成功触发了alert(document.domain)。