SQL injection UNION attack, finding a column containing text
文章介绍了一种SQL注入UNION攻击方法,通过确定查询返回的列数和识别兼容字符串数据的列来构造攻击,最终提取目标值。
Aggregator
Day 14: Blind SQL injection with time delays — Zero to Hero Time-Based Blind SQL Injection —…
5 months 2 weeks ago
文章介绍了一个时间盲SQL注入漏洞的实验过程。通过发送特定的payload(如`' || (SELECT pg_sleep(10))--`),攻击者可以利用PostgreSQL数据库的`pg_sleep`函数引发10秒延迟,从而确认漏洞的存在并推断数据库类型。
CVE-2025-48261 | MultiVendorX Plugin up to 4.2.22 on WordPress insertion of sensitive information into sent data
5 months 2 weeks ago
A vulnerability classified as problematic was found in MultiVendorX Plugin up to 4.2.22 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to insertion of sensitive information into sent data.
This vulnerability is known as CVE-2025-48261. The attack can be launched remotely. There is no exploit available.
vuldb.com
CVE-2025-6152 | Steel Browser up to 0.1.3 files.routes.ts handleFileUpload filename path traversal (Issue 129 / EUVD-2025-18450)
5 months 2 weeks ago
A vulnerability, which was classified as critical, was found in Steel Browser up to 0.1.3. This affects the function handleFileUpload of the file api/src/modules/files/files.routes.ts. The manipulation of the argument filename leads to path traversal.
This vulnerability is uniquely identified as CVE-2025-6152. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to apply a patch to fix this issue.
vuldb.com
CVE-2025-32799 | conda-build up to 25.3.x path traversal (GHSA-h499-pxgj-qh5h)
5 months 2 weeks ago
A vulnerability was found in conda-build up to 25.3.x. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to path traversal.
This vulnerability is known as CVE-2025-32799. The attack can be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2025-5291 | Master Slider Plugin up to 3.10.8 on WordPress Shortcode ms_slide cross site scripting (EUVD-2025-18489)
5 months 2 weeks ago
A vulnerability was found in Master Slider Plugin up to 3.10.8 on WordPress. It has been rated as problematic. This issue affects the function ms_slide of the component Shortcode Handler. The manipulation leads to cross site scripting.
The identification of this vulnerability is CVE-2025-5291. The attack may be initiated remotely. There is no exploit available.
vuldb.com
CVE-2025-6140 | spdlog up to 1.15.1 pattern_formatter-inl.h scoped_padder resource consumption (Issue 3360 / Nessus ID 240225)
5 months 2 weeks ago
A vulnerability, which was classified as problematic, was found in spdlog up to 1.15.1. This affects the function scoped_padder in the library include/spdlog/pattern_formatter-inl.h. The manipulation leads to resource consumption.
This vulnerability is uniquely identified as CVE-2025-6140. It is possible to launch the attack on the local host. Furthermore, there is an exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2025-6167 | themanojdesai python-a2a up to 0.5.5 api.py create_workflow path traversal (Issue 40 / EUVD-2025-18486)
5 months 2 weeks ago
A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function create_workflow of the file python_a2a/agent_flow/server/api.py. The manipulation leads to path traversal.
This vulnerability is traded as CVE-2025-6167. The attack can only be done within the local network. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2025-6177 | Google ChromeOS 16063.45.2 MiniOS privileges management (Issue 382540 / EUVD-2025-18418)
5 months 2 weeks ago
A vulnerability classified as critical was found in Google ChromeOS 16063.45.2. Affected by this vulnerability is an unknown functionality of the component MiniOS. The manipulation leads to improper privilege management.
This vulnerability is known as CVE-2025-6177. It is possible to launch the attack on the local host. There is no exploit available.
vuldb.com
CVE-2025-6179 | Google ChromeOS 16181.27.0 Extension Management permission (Issue 399652 / EUVD-2025-18417)
5 months 2 weeks ago
A vulnerability, which was classified as critical, was found in Google ChromeOS 16181.27.0. This affects an unknown part of the component Extension Management. The manipulation leads to permission issues.
This vulnerability is uniquely identified as CVE-2025-6179. An attack has to be approached locally. There is no exploit available.
vuldb.com
CVE-2025-32798 | conda-build up to 25.3.x eval code injection (GHSA-6cc8-c3c9-3rgr)
5 months 2 weeks ago
A vulnerability has been found in conda-build up to 25.3.x and classified as critical. This vulnerability affects the function eval. The manipulation leads to code injection.
This vulnerability was named CVE-2025-32798. The attack can be initiated remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2025-49125 | Apache Tomcat up to 9.0.105/10.1.41/11.0.7 authentication bypass (EUVD-2025-18406 / Nessus ID 240060)
5 months 2 weeks ago
A vulnerability, which was classified as critical, was found in Apache Tomcat up to 9.0.105/10.1.41/11.0.7. This affects an unknown part. The manipulation leads to authentication bypass using alternate channel.
This vulnerability is uniquely identified as CVE-2025-49125. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2025-6129 | TOTOLINK EX1200T 4.1.2cu.5232_B20210713 HTTP POST Request /boafrm/formSaveConfig submit-url buffer overflow (EUVD-2025-18419)
5 months 2 weeks ago
A vulnerability classified as critical was found in TOTOLINK EX1200T 4.1.2cu.5232_B20210713. This vulnerability affects unknown code of the file /boafrm/formSaveConfig of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow.
This vulnerability was named CVE-2025-6129. The attack can be initiated remotely. Furthermore, there is an exploit available.
vuldb.com
90% aren’t ready for AI attacks, are you?
5 months 2 weeks ago
As AI reshapes business, 90% of organizations are not adequately prepared to secure their AI-driven future, according to a new report from Accenture. Globally, 63% of companies are in the “Exposed Zone,” indicating they lack both a cohesive cybersecurity strategy and necessary technical capabilities. Generative AI spend vs. security spend (Source: Accenture) The urgency of embedding cybersecurity by design The report reveals AI adoption has accelerated the speed, scale and sophistication of cyber threats, far … More →
The post 90% aren’t ready for AI attacks, are you? appeared first on Help Net Security.
Help Net Security
Critical Cisco Vulnerability in Unified CM Grants Root Access via Static Credentials
5 months 2 weeks ago
Cisco修复了Unified Communications Manager和Session Management Edition中的严重漏洞(CVSS 10.0),该漏洞因开发中保留root静态凭证导致攻击者可获取最高权限。
Critical Cisco Vulnerability in Unified CM Grants Root Access via Static Credentials
5 months 2 weeks ago
Cisco has released security updates to address a maximum-severity security flaw in Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) that could permit an attacker to login to a susceptible device as the root user, allowing them to gain elevated privileges.
The vulnerability, tracked as CVE-2025-20309, carries a CVSS score
The Hacker News
2025-07-02: Lumma Stealer infection with follow-up Rsockstun malware
5 months 2 weeks ago
文章描述了Lumma Stealer恶意软件感染事件及其后续RSOCKSTUN恶意软件活动。Lumma Stealer通过伪装成视频下载器和Facebook限制器传播,利用密码保护的7-Zip存档分发恶意文件。感染后会下载RSOCKSTUN恶意软件,并通过特定C2服务器进行通信。
2025-07-02: Lumma Stealer infection with follow-up Rsockstun malware
5 months 2 weeks ago
Qilin
5 months 2 weeks ago
You must login to view this content
cohenido
AI 语音爆发的这半年,一位「局中人」看到的赛道爆发逻辑
5 months 2 weeks ago
当前环境异常,请完成验证后继续访问。