Category: Alert Feeds

  Posted by Apple Product Security via Fulldisclosure on Nov 07 APPLE-SA-11-03-2025-3 macOS Sequoia 15.7.2 macOS Sequoia 15.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/125635. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Admin Framework Available for: macOS Sequoia Impact: … Read More “APPLE-SA-11-03-2025-3 macOS Sequoia 15.7.2  – Full Disclosure” »

  Posted by Aki Tuomi via Fulldisclosure on Oct 29 Affected product: Dovecot IMAP Server Internal reference: DOV-7830 Vulnerability type: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State) Vulnerable version: 2.4.0, 2.4.1 Vulnerable component: auth Report confidence: Confirmed Solution status: Fixed in 2.4.2 Researcher credits: Erik <erik () broadlux com> Vendor notification: … Read More “Dovecot CVE-2025-30189: Auth cache causes access to wrong account  – Full Disclosure” »

  Posted by Christoph Gruber on Oct 29 It seems, the whole account is down – Read More  – Full Disclosure 

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 29 SEC Consult Vulnerability Lab Security Advisory < 20251029-0 > ======================================================================= title: Unprotected NFC card manipulation leading to free top-up product: GiroWeb Cashless Catering Solutions vulnerable version: Only legacy customer infrastructure using outdated Legic Prime or other insecure NFC cards fixed version: – CVE… – … Read More “SEC Consult SA-20251029-0 :: Unprotected NFC card manipulation leading to free top-up in GiroWeb Cashless Catering Solutions (only legacy customer infrastructure)  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Stored HTML Injection – Layout Functionality – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-45-stored.html Stored HTML Injection – Layout Functionality: Steps to Reproduce: 1. Login with user and visit “Layouts” 2. … Read More “Stored HTML Injection – Layout Functionality – totaljsv5013  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Stored Cross-Site Scripting (XSS) via SVG File Upload – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-46-stored.html Stored Cross-Site Scripting (XSS) via SVG File Upload: Steps to Reproduce: 1. Login with user … Read More “Stored Cross-Site Scripting (XSS) via SVG File Upload – totaljsv5013  – Full Disclosure” »

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 28 SEC Consult Vulnerability Lab Security Advisory < 20251027-0 > ======================================================================= title: Unauthenticated Local File Disclosure product: MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System vulnerable version: 10.14.STD, MIP 2 / FEDRA 2 / HYDRA X with Servicepack 8 … Read More “SEC Consult SA-20251027-0 :: Unauthenticated Local File Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System #CVE-2025-12055  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Current Password not Required When Changing Password – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-43-current.html Current Password not Required When Changing Password: Steps to Reproduce: 1. Login with user and click … Read More “Current Password not Required When Changing Password – totaljsv5013  – Full Disclosure” »

  Posted by Andrey Stoykov on Oct 28 # Exploit Title: Stored Cross-Site Scripting (XSS) – Layout Functionality – totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-44-stored.html Stored Cross-Site Scripting (XSS) – Layout Functionality: Steps to Reproduce: 1. Login with user and visit … Read More “Stored Cross-Site Scripting (XSS) – Layout Functionality – totaljsv5013  – Full Disclosure” »

  Posted by Daniel Owens via Fulldisclosure on Oct 28 Struts2 has, since its inception and to today, contained a significant denial of service (DoS) vulnerability stemming from how the Struts2 default deserialiser parses and deserialises arrays, collections (including maps), and related objects. Specifically, Struts2 and related frameworks allow attackers to specify indices and adhere … Read More “Struts2 and Related Framework Array/Collection DoS  – Full Disclosure” »

  Posted by Matteo Beccati on Oct 25 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-001 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2025-001 ———————————————————————— CVE-ID: CVE-2025-27208 Date: 2025-10-22 Risk Level:… – Read More  – Full Disclosure 

  Posted by Matteo Beccati on Oct 25 ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-002 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2025-002 ———————————————————————— Date: 2025-10-24 Risk Level: High Applications affected: Revive… – Read More  – Full Disclosure 

  Posted by BSidesSF CFP via Fulldisclosure on Oct 21 BSidesSF is still soliciting submissions for the annual BSidesSF conference on March 21-22, 2026. Call for participation is currently open for both Informational/Collaborative Tracks. Our theme for 2026 is “BSidesSF: The Musical”. Deadline for submissions is OCTOBER 28, 2025. https://bsidessf.org/cfp BSidesSF (bsidessf.org) is a non-profit … Read More “BSidesSF 2026 CFP still open until October 28th  – Full Disclosure” »

  Posted by malvuln on Oct 21 Greetings, I created a MISP-compatible feed for Malvuln that provides malware-vulnerability intelligence; vulnerability types are normalized and mapped to the MITRE ATT&CK framework to improve tagging, correlation and threat analysis. https://intel.malvuln.com Track vulnerable malware, for researchers or anyone building CTI pipelines Existing data live now — new entries … Read More “Malvuln – MISP compatible malware vulnerability intelligence feed now live  – Full Disclosure” »

  Posted by Matthias Deeg via Fulldisclosure on Oct 21 Advisory ID: SYSS-2025-015 Product: Keypad Secure USB 3.2 Gen 1 Drive Manufacturer: Verbatim Affected Version(s): Part Number #49427 (GDMSLK03A-IN3637 VER1.0) Part Number #49428 (GDMSLK03A-IN3637 VER1.0) Tested Version(s): Part Number #49427 (GDMSLK03A-IN3637 VER1.0) Part Number #49428 (GDMSLK03A-IN3637 VER1.0) Vulnerability Type:… – Read More  – Full Disclosure 

  Posted by Matthias Deeg via Fulldisclosure on Oct 21 Advisory ID: SYSS-2025-016 Product: Store ‘n’ Go Secure Portable SSD Manufacturer: Verbatim Affected Version(s): Part Number #53402 (GDMSLK02 C-INIC3637-V1.1) Tested Version(s): Part Number #53402 (GDMSLK02 C-INIC3637-V1.1) Vulnerability Type: Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) Risk Level:… – Read More  – Full Disclosure 

  Posted by Matthias Deeg via Fulldisclosure on Oct 21 Advisory ID: SYSS-2025-017 Product: Store ‘n’ Go Secure Portable HDD Manufacturer: Verbatim Affected Version(s): Part Number #53401 (GD25LK01-3637-C VER4.0) Tested Version(s): Part Number #53401 (GD25LK01-3637-C VER4.0) Vulnerability Type: Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) Risk Level: High… – Read More  – Full … Read More “[SYSS-2025-017]: Verbatim Store ‘n’ Go Secure Portable HDD (security update v1.0.0.6) – Offline brute-force attack  – Full Disclosure” »

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 21 SEC Consult Vulnerability Lab Security Advisory < 20251021-0 > ======================================================================= title: Multiple Vulnerabilities product: EfficientLab WorkExaminer Professional vulnerable version: <= 4.0.0.52001 fixed version: – CVE number: CVE-2025-10639, CVE-2025-10640, CVE-2025-10641 impact: Critical homepage:… – Read More  – Full Disclosure 

  Posted by Security Explorations on Oct 21 Dear All, We have recently experienced “an outage” / unavailability of our website [1] due to Google suspending our Firebase project (the root for our website hosting). On Oct 16, 2025 (23:20 PM CET) we received a message [2] from Google Cloud Compliance, which indicated our hosting … Read More “Google Firebase hosting suspension / “malware distribution” bypass  – Full Disclosure” »

  Posted by cve on Oct 18 The critical vulnerabilities discovered within Mercku routers, specifically the M6a model, that could pose serious security threats to home networks. These issues allow remote code execution with minimal effort, tested against version 2.1.0 of the official firmware. I have also submitted a CVE request in June 2024 (CVE … Read More “Urgent Security Vulnerabilities Discovered in Mercku Routers Model M6a  – Full Disclosure” »

  Posted by Patrick via Fulldisclosure on Oct 18 —————————————————————————- Summary —————————————————————————- A CWE-601 (Open Redirect) vulnerability has been identified in the additnow functionality of apis.google.com. The vulnerability has been actively exploited in targeted phishing attacks since at least September 15, 2025…. – Read More  – Full Disclosure 

  Posted by Thomas Weber | CyberDanube via Fulldisclosure on Oct 18 CyberDanube Security Research 20251014-0 ——————————————————————————- title| Multiple Vulnerabilities product| QUINT4-UPS vulnerable version| VC:00<VC:07 fixed version| VC:07 (partially) CVE number| CVE-2025-41703, CVE-2025-41704, CVE-2025-41705, | CVE-2025-41706, CVE-2025-41707 impact| High… – Read More  – Full Disclosure