Posted by Sanjay Singh on Jul 29
Hello Full Disclosure community,
I’m sharing details of a recently assigned CVE affecting a widely used
open‑source School Management System (PHP/MySQL).
——————————————–
CVE ID: CVE‑2025‑52187
Vulnerability Type: Stored Cross‑Site Scripting (XSS)
Attack Vector: Remote
Discoverer: Sanjay Singh
Vendor Repository:
https://github.com/GetProjectsIdea/Create-School-Management-System-with-PHP-MySQL
Version…
Posted by Egidio Romano on Jul 29
—————————————————————————————–
Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting
Vulnerability
—————————————————————————————–
[-] Software Link:
https://invisioncommunity.com
[-] Affected Versions:
Certain 4.x versions before 4.7.21.
All 5.x versions before 5.0.8.
[-] Vulnerability Description:…
Posted by Palula Brasil on Jul 29
The following snippet in the text is associated to the wrong CVE number:
2.2 Possibility of injecting JavaScript code into the name of the visiting
network (XSS) – CVE-2025-26064
The correct CVE number for item 2.2 is CVE-2025-26065.
Posted by Andrey Stoykov on Jul 29
# Exploit Title: Stored XSS “Edit General Info” Functionality –
seotoasterv2.5.0
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 2.5.0
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
Stored XSS “Edit General Info” Functionality #3:
Steps to Reproduce
1. Login with admin and visit “Website ID Card” > “Website Id Card”
2. In the “Organization Name” add the following…
Posted by Andrey Stoykov on Jul 29
# Exploit Title: Stored XSS “Create Page” Functionality – seotoasterv2.5.0
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 2.5.0
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
Stored XSS “Create Page” Functionality #1:
Steps to Reproduce
1. Login with admin and visit “Pages” > “Create a Page”
2. In the “Meta Description” add the following payload…
Posted by Andrey Stoykov on Jul 29
# Exploit Title: Open Redirect “Login Page” Functionality – seotoasterv2.5.0
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 2.5.0
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
Open Redirect “Login Page” Functionality #1:
Steps to Reproduce
Login to the application and then add the Referer header to attacker domain
// HTTP POST Request
POST /seotoaster/go HTTP/1.1
Host: 192.168.58.149…
Posted by Andrey Stoykov on Jul 29
# Exploit Title: Stored XSS “Edit Header” Functionality – seotoasterv2.5.0
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 2.5.0
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
Stored XSS “Edit Header” Functionality #1:
Steps to Reproduce:
Login as admin user and visit “News”
Click on “Edit Header Content” and enter the payload “><img src=x
onerror=alert(1)>
//…
Posted by Egidio Romano on Jul 29
——————————————————————
SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Vulnerability
——————————————————————
[-] Software Link:
https://www.sugarcrm.com
[-] Affected Versions:
All commercial versions before 13.0.4 and 14.0.1.
[-] Vulnerability Description:
User input passed through GET parameters to the /css/preview REST API
endpoint is not…
Posted by Marcus Krueppel on Jul 29
================== Overview ==================
TL;DR: Using the low-privilege “admin” user account via SSH on the IoT device “USB-Server-LXL” [1], it is possible to
modify the script /etc/init.d/lighttpd which is executed by root upon restart, leading to arbitrary code execution with
root privileges.
CVE: CVE-2025-52361
Suggested CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Suggested CVSS…
FEDORA-2025-7d08872494
Packages in this update:
libtiff-4.7.0-6.fc42
Update description:
fix CVE-2025-8176: use after free in tiffmedian (rhbz#2383821)
fix CVE-2025-8177: buffer oveflow in thumbnail setrow when processing malformed TIFF (rhbz#2383827)
Posts navigation
News, Advisories and much more