#arbitrary-file-upload

[ follow ]
#smartermail #cve-2025-52691 #remote-code-execution #patch-update #freepbx #authentication-bypass #sql-injection
fromThe Hacker News
1 week ago

CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution

The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution. The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any authentication.
Information security
fromThe Hacker News
3 weeks ago

FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE

CVE-2025-61675 (CVSS score: 8.6) - Numerous authenticated SQL injection vulnerabilities impacting four unique endpoints (basestation, model, firmware, and custom extension) and 11 affected parameters that enable read and write access to the underlying SQL database CVE-2025-61678 (CVSS score: 8.6) - An authenticated arbitrary file upload vulnerability that allows an attacker to exploit the firmware upload endpoint to upload a PHP web shell after obtaining a valid PHPSESSID and run arbitrary commands to leak the contents of sensitive files (e.g., "/etc/passwd")
Information security
Web development
fromThe Hacker News
7 months ago

Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin

A critical unpatched vulnerability in the TI WooCommerce Wishlist plugin allows unauthenticated attackers to upload arbitrary files.
[ Load more ]