Tagged: Cybersecurity Alert

Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy. More information : https://blog.zimbra.com/2025/10/patch-release-update-zimbra-10-1-12/

QDocs Smart School Management System 7.1 allows authenticated users with roles such as “accountant” or “admin” to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This...

Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When...

Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user’s block...

Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests. More information : https://github.com/navy-birds-MRS/vuln-reports/blob/main/vendors/netlink/CVE-2025-60772/advisory.md

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header...

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back...

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to version 3.5.1, a reflected cross-site scripting (XSS) vulnerability was identified in the editar_info_pessoal.php endpoint of the...

The affected Raisecom devices allow SSH sessions to be established without completing user authentication. This could allow attackers to gain shell access without valid credentials. More information : https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-06

Cross-Site Scripting (XSS) vulnerability in Bang Resto v1.0 could allow an attacker to inject malicious JavaScript code into the application’s web pages. This vulnerability exists due to insufficient input sanitization or output encoding, allowing...

GeographicLib 2.5 is vulnerable to Buffer Overflow in GeoConvert DMS::InternalDecode. More information : https://github.com/geographiclib/geographiclib/issues/43

daicuocms V1.3.13 contains an arbitrary file upload vulnerability in the image upload feature. More information : https://github.com/jayfoxaa/yuhang-Zhou/blob/main/upload/readme.md

daicuocms V1.3.13 contains a SQL injection vulnerability in the file librarythinkdbBuilder.php. More information : https://github.com/wzy-most/zeyu-Wang/blob/main/sql/readme.md

The incomplete verification mechanism in the AutoBizLine com.mysecondline.app 1.2.91 allows attackers to log in as other users and gain unauthorized access to their personal information. More information : http://autobizline.com