#web

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: SolisCloud Equipment: Monitoring Platform (Cloud API & Device Control API) Vulnerability: Authorization Bypass Through User-Controlled Key 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access sensitive information by manipulating API requests. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of SolisCloud Monitoring Platform are affected: Monitoring Platform (Cloud API & Device Control API): API v1 and API v2 3.2 VULNERABILITY OVERVIEW 3.2.1 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639 The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request. CVE-2025-13932 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has bee...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: MAXHUB Equipment: MAXHUB Pivot Vulnerability: Weak Password Recovery Mechanism for Forgotten Password 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to request a password reset and gain unauthorized access to the account. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS MAXHUB reports the following versions of MAXHUB Pivot are affected: Pivot client application: All versions prior to v1.36.2 3.2 VULNERABILITY OVERVIEW 3.2.1 Weak Password Recovery Mechanism for Forgotten Password CWE-640 The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account. CVE-2025-53704 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2025-53704....

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Advantech Equipment: iView Vulnerability: SQL Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information, modify, or delete data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Advantech products are affected: iView: 5.7.05.7057 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-89 Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands. CVE-2025-13373 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-13373. A base score of 8.7 has been calculated; the CVSS vector string ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.8 ATTENTION: Low attack complexity Vendor: Mitsubishi Electric Equipment: GX Works2 Vulnerability: Cleartext Storage of Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could open project files protected by user authentication using disclosed credential information, and obtain or modify project information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of GX Works2 are affected: GX Works2: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312 An attacker could disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential information, and obtain or modify project information. CVE-2025-3784 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:...

Think your Wi-Fi is safe? Your coding tools? Or even your favorite financial apps? This week proves again how hackers, companies, and governments are all locked in a nonstop race to outsmart each other. Here’s a quick rundown of the latest cyber stories that show how fast the game keeps changing. DeFi exploit drains funds Critical yETH Exploit Used to Steal $9M

As 2025 draws to a close, security professionals face a sobering realization: the traditional playbook for web security has become dangerously obsolete. AI-powered attacks, evolving injection techniques, and supply chain compromises affecting hundreds of thousands of websites forced a fundamental rethink of defensive strategies. Here are the five threats that reshaped web security this year, and

Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services. The activity, observed since October 2024, involves distributing modified banking applications that act as a conduit for Android malware, Group-IB said in a technical

Cloudflare on Wednesday said it detected and mitigated the largest ever distributed denial-of-service (DDoS) attack that measured at 29.7 terabits per second (Tbps). The activity, the web infrastructure and security company said, originated from a DDoS botnet-for-hire known as AISURU, which has been linked to a number of hyper-volumetric DDoS attacks over the past year. The attack lasted for 69

Cybersecurity today is about a lot more than just firewalls and antivirus software. As organisations adopt cloud computing,…

alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The zip/archiving functionality allows an attacker to create archives containing files and directories outside the intended scope due to improper path validation.