Aggregator

CVE-2025-34033 | 5VTechnologies Blue Angel Software Suite GET Request webctrl.cgi ping_addr os command injection (Exploit 46792 / EUVD-2025-18969)

Vuldb Updates
1 month 3 weeks ago
A vulnerability has been found in 5VTechnologies Blue Angel Software Suite and classified as critical. Affected by this vulnerability is an unknown functionality of the file webctrl.cgi of the component GET Request Handler. The manipulation of the argument ping_addr leads to os command injection. This vulnerability is known as CVE-2025-34033. The attack can be launched remotely. Furthermore, there is an exploit available.
vuldb.com

Security Advisory: Anthropic's Slack MCP Server Vulnerable to Data Exfiltration

Embrace The Red
1 month 3 weeks ago
This is a security advisory for a data leakage and exfiltration vulnerability in a popular, but now deprecated and unmaintained, Slack MCP Server from Anthropic. If you are using this MCP server, or run an “MCP Store” that hosts it, it is advised that you analyze how this threat applies to your use case and apply a patch as needed. Anthropic’s Slack MCP Server When Anthropic introduced MCP they published reference server implementations on Github.

CVE-2025-48988 | Apache Tomcat up to 9.0.105/10.1.41/11.0.7 allocation of resources (EUVD-2025-18409 / Nessus ID 240060)

Vuldb Updates
1 month 3 weeks ago
A vulnerability, which was classified as problematic, has been found in Apache Tomcat up to 9.0.105/10.1.41/11.0.7. Affected by this issue is some unknown functionality. The manipulation leads to allocation of resources. This vulnerability is handled as CVE-2025-48988. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

What Water Utilities Need to Know About HMI Security and AI Solutions

Security Boulevard
1 month 3 weeks ago

Water and Wastewater Systems are increasingly becoming soft targets for sophisticated cyber attackers. A new joint fact sheet from the EPA and CISA puts this threat front and center, warning utilities about the growing risk of internet-exposed Human Machine Interfaces (HMIs). These essential components of water system operations are now being exploited—especially by state-sponsored and […]

The post What Water Utilities Need to Know About HMI Security and AI Solutions appeared first on Security Boulevard.

MixMode Threat Research

CVE-2012-6047 | X7 Group X7 Chat up to 1.2.0b index.php cross-site request forgery (EDB-18850 / OSVDB-81827)

Vuldb Updates
1 month 3 weeks ago
A vulnerability was found in X7 Group X7 Chat up to 1.2.0b and classified as problematic. Affected by this issue is some unknown functionality of the file index.php. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2012-6047. The attack may be launched remotely. Furthermore, there is an exploit available.
vuldb.com

Beyond SMS OTP: Why Major Organizations Are Abandoning Text-Based Authentication

Security Boulevard
1 month 3 weeks ago

The elimination of SMS OTP from major organizations and government systems represents an inevitable evolution toward more secure, cost-effective, and user-friendly authentication approaches. Organizations that recognize this trend and act proactively will find themselves better positioned competitively while avoiding the disruption and costs associated with forced transitions under regulatory deadlines.

The post Beyond SMS OTP: Why Major Organizations Are Abandoning Text-Based Authentication appeared first on Security Boulevard.

Dev Kumar

CVE-2019-11358 | Oracle Financial Services Hedge Management 8.0.4/8.0.5/8.0.6/8.0.7 RSA BSAFE cross site scripting (EDB-52141 / Nessus ID 208606)

Vuldb Updates
1 month 3 weeks ago
A vulnerability, which was classified as critical, has been found in Oracle Financial Services Hedge Management and IFRS Valuations 8.0.4/8.0.5/8.0.6/8.0.7. This issue affects some unknown processing of the component RSA BSAFE. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2019-11358. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.
vuldb.com

SDL 76/100问:运营阶段,如何做好常态漏扫和情报产生的漏洞管理?

我的安全视界观
1 month 3 weeks ago
在SDL的运营阶段,安全活动包括漏洞预警、常态化扫描、SRC收洞、应急响应等,这里提问是关于前两类产生的漏洞管理。在每个阶段,对漏洞的管理目标和方法实则是有差异的,在运营阶段则是要以减少安全事件发生、及减少因事件导致的代价为目标。所以当从目标出发时,可以结合漏洞危害大小、利用难易程度、资产的重要性等方面进行综合考虑,设置不同的漏洞修复和响应要求。比如: 1、漏洞预警:互联网上热传的、被称为核弹级利用的漏洞,肯定是要求先修复,仅有CVE编号又未传播开的,甚至都不用管; 2、常态化扫描:互联网侧的资产优先被修复,可以被利用的漏洞优先修复,其他类型的漏洞则可以将优先级降低、不过不能遗漏。 关于漏洞生命周期管理,每家公司的水平不一样,比如有用jira、禅道、excel表格、漏洞管理系统等。从实践经验来看,最好还是要能关联上资产、联动工单系统等,才会更加便利。 1、SDL 100问 SDL100问:我与SDL的故事 SAST误报太高,如何解决? SDL需要哪些人参与? SDL如何做成平台化以及价值? 安全SDK提供安全API是怎么做的? 安全测试,测不出逻辑漏洞怎么办? 大家都有哪些SDL运营指标? 业务系统是否可以带漏洞上线? 有没有SDL相关的监管要求? SDL 75/100问:前期的安全设计与测试是否解决不同层面问题? 2、SDL创新实践 首发!“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键:研发安全团队 DevSecOps实施关键:研发安全流程 DevSecOps实施关键:研发安全规范 DevSecOps实施关键:研发安全工具 从安全视角,看研发安全 数字化转型下研发安全痛点 一个思考:安全测试驱动产品安全? 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、安全运营实践 基于实践的安全事件简述 安全事件运营SOP:钓鱼邮件 安全事件运营SOP:网络攻击 安全事件运营SOP:蜜罐告警 安全事件运营SOP:webshell事件 安全事件运营SOP:接收漏洞事件 应急能力提升:实战应急困境与突破 应急能力提升:挖矿权限维持攻击模拟

CVE-2019-11358 | Oracle Financial Services Funds Transfer Pricing 8.0.4/8.0.5/8.0.6/8.0.7 jQuery cross site scripting (EDB-52141 / Nessus ID 208606)

Vuldb Updates
1 month 3 weeks ago
A vulnerability classified as critical was found in Oracle Financial Services Funds Transfer Pricing 8.0.4/8.0.5/8.0.6/8.0.7. This vulnerability affects unknown code of the component jQuery. The manipulation leads to cross site scripting. This vulnerability was named CVE-2019-11358. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2025-5249 | PHPGurukul News Portal Project 4.1 /admin/add-category.php Category sql injection

Vuldb Updates
1 month 3 weeks ago
A vulnerability has been found in PHPGurukul News Portal Project 4.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/add-category.php. The manipulation of the argument Category leads to sql injection. This vulnerability is known as CVE-2025-5249. The attack can be launched remotely. Furthermore, there is an exploit available.
vuldb.com

CVE-2024-52588 | Strapi up to 4.25.1 Webhooks URL server-side request forgery (GHSA-v8wj-f5c7-pvxf)

Vuldb Updates
1 month 3 weeks ago
A vulnerability, which was classified as problematic, has been found in Strapi up to 4.25.1. Affected by this issue is some unknown functionality of the component Webhooks URL Handler. The manipulation leads to server-side request forgery. This vulnerability is handled as CVE-2024-52588. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

Managed ad