Overview
- nmedia
- Simple User Registration
26 Jun 2025
Published
27 Jun 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
15.65%
KEV
Description
The Simple User Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3. This is due to insufficient restrictions on user meta values that can be supplied during registration. This makes it possible for unauthenticated attackers to register as an administrator.
Statistics
- 1 Post
Last activity: 22 hours ago
Bluesky
📌 Privilege Escalation Vulnerability in WordPress Simple User Registration Plugin (CVE-2025-4334) https://www.cyberhub.blog/article/15815-privilege-escalation-vulnerability-in-wordpress-simple-user-registration-plugin-cve-2025-4334
Overview
- SEIKO EPSON CORPORATION
- EPSON WebConfig for SEIKO EPSON Projector Products
21 Nov 2025
Published
21 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.06%
KEV
Description
EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack.
Statistics
- 1 Post
Last activity: 13 hours ago
Fediverse
🚨 CRITICAL: CVE-2025-64310 in EPSON WebConfig for Projectors enables unlimited login attempts, risking brute force admin password attacks. Check vendor for affected versions & mitigation steps. https://radar.offseq.com/threat/cve-2025-64310-improper-restriction-of-excessive-a-919b7551 #OffSeq #CVE2025 #Vuln #InfoSec
Overview
- Microsoft
- Windows 10 Version 1809
09 Sep 2025
Published
20 Nov 2025
Updated
CVSS v3.1
HIGH (7.0)
EPSS
0.06%
KEV
Description
Stack-based buffer overflow in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Statistics
- 1 Post
Last activity: 13 hours ago
Bluesky
CVE-2025-54099 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability scq.ms/4oQ0tUC #SecQube #cybersecurity
Overview
Description
Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
Statistics
- 1 Post
Last activity: 9 hours ago
Bluesky
WSUS 원격 코드 실행 취약점(CVE-2025-59287)을 악용한 ShadowPad 공격 사례 분석 - APT Malware Analysis of a ShadowPad attack exploiting the WSUS remote code execution vulnerability (CVE-2025-59287)
Overview
- Apache Software Foundation
- Apache Tomcat
27 Oct 2025
Published
10 Nov 2025
Updated
CVSS
Pending
EPSS
0.21%
KEV
Description
Relative Path Traversal vulnerability in Apache Tomcat.
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Statistics
- 1 Post
Last activity: 11 hours ago
Bluesky
The latest update for #Indusface includes "Cloudflare Outage Nov 2025: Architectural Lessons for Building Resilient Infrastructure" and "CVE-2025-55752: Apache Tomcat Path Traversal Vulnerability".
#cybersecurity #infosec https://opsmtrs.com/3ySs2VF
Overview
Description
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Statistics
- 1 Post
Last activity: 6 hours ago
Bluesky
Unmasking CVE-2025-4123: The Grafana Open Redirect Vulnerability Phishers Don’t Want You to Find
Introduction: Open redirect vulnerabilities, often underestimated, serve as a critical enabler for sophisticated phishing campaigns and security chain attacks. The recent discovery of CVE-2025-4123 in…
Overview
- workos
- authkit-nextjs
21 Nov 2025
Published
21 Nov 2025
Updated
CVSS v4.0
HIGH (8.0)
EPSS
0.10%
KEV
Description
The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication.
Statistics
- 1 Post
Last activity: 10 hours ago
Fediverse
🚨 CVE-2025-64762 (HIGH): workos authkit-nextjs <2.11.1 fails to set anti-caching headers, risking session token leaks via CDN caches. Upgrade to 2.11.1+ or review CDN cache configs now! https://radar.offseq.com/threat/cve-2025-64762-cwe-524-use-of-cache-containing-sen-e4c820e8 #OffSeq #Nextjs #Security #CVE2025
Overview
Description
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Statistics
- 1 Post
- 1 Interaction
Last activity: 2 hours ago
Fediverse
Weiteres Zero-Day Sicherheitsloch bei Oracle angegriffen
Im Oktober hatte ich über CVE-2025-61882 berichtet, eine Zero-Day Sicherheitslücke bei Oracle. Die wurde vorher schon, und erst recht nach der Veröffentlichung, für viele Angriffe ausgenutzt. Diese wiederum haben zu Datenlecks geführt. Jetzt hat ein Sicherheitsunternehmen veröffentlicht, dass es schon vorher eine weitere Zero-Day Sicherheitslücke (CVE-2025-61757) gefunden und an Oracle gemeldet hatte. Oracle hat sie mit den Oktober-Updates geflickt, aber Honigtopf-Protokolle zeigen Angriffe darauf bereits seit dem 2025-08-30. Außerdem ist sie geradezu trivial einfach auszunutzen: Durch Anhängen von ";.wadl" wird
#Hintergrund #Warnung #0day #closedsource #cybercrime #exploits #hintertür #wissen
Overview
- OpenPrinting
- cups-filters
12 Nov 2025
Published
13 Nov 2025
Updated
CVSS v3.1
MEDIUM (4.0)
EPSS
0.02%
KEV
Description
cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In cups-filters prior to 1.28.18, by crafting a PDF file with a large `MediaBox` value, an attacker can cause CUPS-Filter 1.x’s `pdftoraster` tool to write beyond the bounds of an array. First, a PDF with a large `MediaBox` width value causes `header.cupsWidth` to become large. Next, the calculation of `bytesPerLine = (header.cupsBitsPerPixel * header.cupsWidth + 7) / 8` overflows, resulting in a small value. Then, `lineBuf` is allocated with the small `bytesPerLine` size. Finally, `convertLineChunked` calls `writePixel8`, which attempts to write to `lineBuf` outside of its buffer size (out of bounds write). In libcupsfilters, the maintainers found the same `bytesPerLine` multiplication without overflow check, but the provided test case does not cause an overflow there, because the values are different. Commit 50d94ca0f2fa6177613c97c59791bde568631865 contains a patch, which is incorporated into cups-filters version 1.28.18.
Statistics
- 1 Post
Last activity: 5 hours ago
Bluesky
#Ubuntu Security Alert: libcupsfilters vulnerabilities CVE-2025-57812 and CVE-2025-64503. Read more: 👉 tinyurl.com/yz3cd38s #Security
Overview
Description
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
Statistics
- 2 Posts
Last activity: 8 hours ago
Fediverse
🚨 New plugin: ViciboxVersionPlugin (CVE-2024-8503, CVE-2024-8504).
VICIdial outdated version detection - unauthenticated SQL injection and authenticated RCE, versions <= 2.14-917a affected.
Results: https://leakix.net/search?q=%2Bplugin%3AViciboxVersionPlugin&scope=leak