FreePBX is a popular PBX system built around the open source VoIP system Asterisk. To manage Asterisk more easily, it provides a capable web-based admin interface. Sadly, like so many web applications, it has had its share of vulnerabilities in the past. Most recently, a SQL injection vulnerability was found that allows attackers to modify the database.
TL;DR: OnePlus implemented three custom ContentProviders in OxygenOS 12+ that expose SMS/MMS data without proper permission enforcement. After technical analysis of the implementation, the design choices raise questions about intent vs. negligence. Background: Rapid7 disclosed CVE-2025-10184 last week - a permission bypass vulnerability in OnePlus OxygenOS 12+ that allows unprivileged apps to read SMS/MMS content via SQL injection through custom ContentProviders. OnePlus was notified 9 times...
arXiv:2509.10488v1 Announce Type: new Abstract: This research focuses on transforming CVEs to hands-on educational lab for cybersecurity training. The study shows the practical application of CVEs by developing containerized lab environments- Docker to simulate real-world vulnerabilities like SQL Injection, arbitrary code execution, and improper SSL certificate validation. These labs has structured tutorials, pre- and post-surveys to evaluate learning outcomes, and remediation steps.Key...
IBM published a security bulletin disclosing a serious Blind SQL injection vulnerability in its IBM Watsonx Orchestrate Cartridge for IBM Cloud Pak for Data, assigned CVE-2025-0165. With a CVSS 3.1 base score of 7.6, this flaw could allow remote attackers with low privileges to compromise sensitive back-end databases by injecting malicious SQL statements. Key Takeaways1.
.webp)
NodeBB, a popular open-source forum platform, has been found vulnerable to a critical SQL injection flaw in version 4.3.0. The flaw, tracked as CVE-2025-50979, resides in the search-categories API endpoint, allowing unauthenticated, remote attackers to inject both boolean-based blind and PostgreSQL error-based payloads. Successful exploitation could lead to unauthorized data access, information disclosure, or further
![[webapps] Lingdang CRM 8.6.4.7 - SQL Injection](https://www.exploit-db.com/images/spider-orange.png)
Lingdang CRM 8.6.4.7 - SQL Injection
Hi everyone, I'm working on an open-source project: a SQL Injection scanner inspired by sqlmap and Havij. It detects SQLi correctly, but the database enumeration ( --dbs , --tables , --columns ) is not working . Current behavior: it only returns raw HTML tags (like <html> , <h1> , etc.) Expected behavior: should extract database names, tables, and columns Likely issue: enumeration module isn't being invoked from main.py 🔗 GitHub issue link (with more details):...
submitted by /u/digicat [link] [comments]
Learn how vulnerability in Anthropic's reference Postgres MCP server allowed us to bypass the read-only restriction and execute arbitrary SQL statements.
BigAnt Office Messenger 5.6.06 - SQL Injection