Aggregator

CVE-2025-6318 | PHPGurukul Pre-School Enrollment System 1.0 check_availability.php Username sql injection (EUVD-2025-18729)

Vuldb Updates
5 months 2 weeks ago
A vulnerability classified as critical was found in PHPGurukul Pre-School Enrollment System 1.0. This vulnerability affects unknown code of the file /admin/check_availability.php. The manipulation of the argument Username leads to sql injection. This vulnerability was named CVE-2025-6318. The attack can be initiated remotely. Furthermore, there is an exploit available.
vuldb.com

CVE-2025-6287 | PHPGurukul COVID19 Testing Management System 1.0 Take Action /test-details.php remark cross site scripting (EUVD-2025-18707)

Vuldb Updates
5 months 2 weeks ago
A vulnerability classified as problematic was found in PHPGurukul COVID19 Testing Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /test-details.php of the component Take Action. The manipulation of the argument remark leads to cross site scripting. This vulnerability is known as CVE-2025-6287. The attack can be launched remotely. Furthermore, there is an exploit available.
vuldb.com

CVE-2004-2181 | WowBB Web Forum 1.61 view_user.php forum_id sql injection (EDB-25641 / Nessus ID 15557)

Vuldb Updates
5 months 2 weeks ago
A vulnerability was found in WowBB Web Forum 1.61. It has been rated as critical. This issue affects some unknown processing of the file view_user.php. The manipulation of the argument forum_id leads to sql injection. The identification of this vulnerability is CVE-2004-2181. The attack may be initiated remotely. Furthermore, there is an exploit available.
vuldb.com

The real story behind cloud repatriation in 2025

Help Net Security
5 months 2 weeks ago

In this Help Net Security video, Mark Wilson, Technology and Innovation Director at Node4, shares key insights from the company’s 2025 mid-market report. He explores the surprising trend of cloud repatriation, where 97% of mid-market organizations plan to move some workloads off the public cloud, and unpacks what’s really driving it. Wilson also discusses shifting strategic priorities, the disconnect between IT and business leaders, and why cybersecurity, compliance, and AI adoption rank lower than expected. … More →

The post The real story behind cloud repatriation in 2025 appeared first on Help Net Security.

Help Net Security

CVE-2005-3638 | Ekinboard 1.0.3 profile.php ID cross site scripting (EDB-26516 / BID-15447)

Vuldb Updates
5 months 2 weeks ago
A vulnerability, which was classified as problematic, has been found in Ekinboard 1.0.3. Affected by this issue is some unknown functionality of the file profile.php. The manipulation of the argument ID leads to basic cross site scripting. This vulnerability is handled as CVE-2005-3638. The attack may be launched remotely. Furthermore, there is an exploit available.
vuldb.com

CVE-2025-6278 | Upsonic up to 0.55.6 markdown/server.py os.path.join file.filename path traversal (Issue 356 / EUVD-2025-18698)

Vuldb Updates
5 months 2 weeks ago
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. This vulnerability was named CVE-2025-6278. The attack needs to be initiated within the local network. Furthermore, there is an exploit available.
vuldb.com

CVE-2025-6279 | Upsonic up to 0.55.6 Pickle /tools/add_tool cloudpickle.loads deserialization (Issue 353 / EUVD-2025-18696)

Vuldb Updates
5 months 2 weeks ago
A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The identification of this vulnerability is CVE-2025-6279. Access to the local network is required for this attack. Furthermore, there is an exploit available.
vuldb.com

CVE-2025-47293 | powsybl-core up to 6.7.1 XML Parser com.powsybl.commons.xml.XmlReader xml external entity reference (GHSA-qpj9-qcwx-8jv2 / EUVD-2025-18700)

Vuldb Updates
5 months 2 weeks ago
A vulnerability has been found in powsybl-core up to 6.7.1 and classified as critical. This vulnerability affects the function com.powsybl.commons.xml.XmlReader of the component XML Parser. The manipulation leads to xml external entity reference. This vulnerability was named CVE-2025-47293. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2025-6285 | PHPGurukul COVID19 Testing Management System 2021 search-report-result.php q cross site scripting (EUVD-2025-18703)

Vuldb Updates
5 months 2 weeks ago
A vulnerability was found in PHPGurukul COVID19 Testing Management System 2021. It has been rated as problematic. This issue affects some unknown processing of the file /search-report-result.php. The manipulation of the argument q leads to cross site scripting. The identification of this vulnerability is CVE-2025-6285. The attack may be initiated remotely. Furthermore, there is an exploit available.
vuldb.com

CVE-2025-6286 | PHPGurukul COVID19 Testing Management System 2021 search-report-result.php q redirect (EUVD-2025-18702)

Vuldb Updates
5 months 2 weeks ago
A vulnerability classified as problematic has been found in PHPGurukul COVID19 Testing Management System 2021. Affected is an unknown function of the file /search-report-result.php. The manipulation of the argument q leads to open redirect. This vulnerability is traded as CVE-2025-6286. It is possible to launch the attack remotely. Furthermore, there is an exploit available.
vuldb.com

Cybersecurity jobs available right now: June 24, 2025

Help Net Security
5 months 2 weeks ago

Cyber Security Analyst Ascendion | Singapore | On-site – View job details As a Cyber Security Analyst, you will lead incident response efforts, including forensic analysis, malware mitigation, and DoS attack resolution. Design and implement advanced security architectures with a focus on cloud and automation. Utilize AI/ML-enabled threat detection tools and frameworks, such as MITRE ATT&CK, to stay ahead of emerging threats. Cyber Security Engineer KBR | USA | On-site – View job details As … More →

The post Cybersecurity jobs available right now: June 24, 2025 appeared first on Help Net Security.

Anamarija Pogorelec

超过46000个Grafana实例暴露于账户接管漏洞

嘶吼
5 months 2 weeks ago

超过46000个暴露在互联网上的Grafana实例未打补丁,面临客户端开放重定向漏洞的威胁,该漏洞允许执行恶意插件并进行账户接管。

该漏洞被追踪为CVE-2025-4123,并影响用于监控和可视化基础设施和应用程序指标的多个版本的开源平台。这个漏洞是由漏洞赏金猎人Alvaro Balada发现的,并在Grafana Labs5月21日发布的安全更新中得到了解决。

然而,据应用安全公司OX security的研究人员称,截至撰写本文时,超过三分之一的公共互联网上可访问的Grafana实例尚未打补丁,他们将该漏洞称为“Grafana Ghost”。

分析师表示,他们的工作重点是展示将Balada的发现武器化的能力。在确定易受攻击的版本后,他们通过将数据与平台在整个生态系统中的分布相关联来评估风险。

他们发现128864个实例在线暴露,其中46506个实例仍在运行可被利用的易受攻击版本。这相当于约36%的百分比。

OX Security对CVE-2025-4123的深入分析发现,通过一系列利用步骤,结合客户端路径遍历和开放重定向机制,攻击者可以引诱受害者点击url,从而从威胁行为者控制的网站加载恶意Grafana插件。

研究人员说,恶意链接可以用来在用户的浏览器中执行任意JavaScript。

开发过程

该漏洞不需要提升权限,即使启用了匿名访问也可以发挥作用。该漏洞允许攻击者劫持用户会话,更改帐户凭证,并且,在安装了Grafana Image Renderer插件的情况下,执行服务器端请求伪造(SSRF)来读取内部资源。

虽然Grafana默认的内容安全策略(CSP)提供了一些保护,但由于客户端执行的限制,它不能防止利用。

OX Security的漏洞证明了CVE-2025-4123可以在客户端被利用,并且可以通过原生到Grafana的JavaScript路由逻辑来绕过现代浏览器规范化机制。

这使得攻击者可以利用URL处理不一致来提供恶意插件,从而修改用户的电子邮件地址,从而通过重置密码来劫持帐户。

尽管CVE-2025-4123有几个攻击要求,比如用户交互,受害者点击链接时的活跃用户会话,以及启用插件功能(默认启用),但大量暴露的实例和缺乏身份验证的需要创造了一个重要的攻击面。

为了降低被利用的风险,建议Grafana管理员升级到10.4.18+security-01、11.2.9+security-01、11.3.6+security-01、11.4.4+security-01、11.5.4+security-01、11.6.1+security-01和12.0.0+security-01版本。

胡金鱼

博士数量超过学界需求

Solidot
5 months 2 weeks ago
过去几十年全世界博士毕业生数量持续增长。传统上博士学位是终身学术生涯的垫脚石,但今天的博士毕业生数量远远超过了大学和研究机构的职位空缺数量。在 38 个经合组织(OECD)成员国中,1998-2017 年之间新增博士数量翻了几乎一番。中国博士生人数从 2013 年的 30 万增加到 2023 年的 60 多万,香港大学的 Hugo Horta 解释说,推动中国博士生人数增长的因素包括了学士和硕士学位人数快速增长,期望投资高等教育能带来更好的经济和社会前景。博士数量超过学界需求迫使博士毕业生以前所未有的速度转向非学术领域。2023 年针对英国 4500 多名博士毕业生的调查发现,逾三分之二博士在学术界以外就业。南非调查的 6000 多名博士毕业生中有 18% 表示难以找到与其专业相关的工作。部分国家开始调整博士课程。日本、德国和英国提供了博士学习期间的培训和带薪实习,其中包括“产业博士”项目,允许与企业合作开展研究。

Managed ad