CVE-2025-48114 – ShayanWeb Admin FontChanger CSRF Stored XSS

CVE ID : CVE-2025-48114

Published : May 16, 2025, 4:15 p.m. | 47 minutes ago

Description : Cross-Site Request Forgery (CSRF) vulnerability in Shayan Farhang Pazhooh ShayanWeb Admin FontChanger allows Stored XSS. This issue affects ShayanWeb Admin FontChanger: from n/a through 1.8.1.

Severity: 7.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

CVE-2025-48063 – XWiki Remote Code Execution via Required Rights Bypass

May 21, 2025

CVE ID : CVE-2025-48063

Published : May 21, 2025, 6:15 p.m. | 2 hours, 26 minutes ago

Description : XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn’t have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they’re not giving a right to a script or object that it didn’t have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CodeSOD: A Unique Way to Primary Key

BrowserStack launches Figma plugin for detecting accessibility issues in design phase

Parasoft brings agentic AI to service virtualization in latest release

Node.js vs. Python for Backend: 7 Reasons C-Level Leaders Choose Node.js Talent

The best CRM software with email marketing in 2025: Expert tested and reviewed

This multi-port car charger can power 4 gadgets at once – and it’s surprisingly cheap

I’m a wearables editor and here are the 7 Pixel Watch 4 rumors I’m most curious about

8 ways I quickly leveled up my Linux skills – and you can too

The Intersection of Agile and Accessibility – A Series on Designing for Everyone

The Intersection of Agile and Accessibility – A Series on Designing for Everyone

Zero Trust & Cybersecurity Mesh: Your Org’s Survival Guide

Execute Ping Commands and Get Back Structured Data in PHP

A Tomb Raider composer has been jailed — His legacy overshadowed by $75k+ in loan fraud

A Tomb Raider composer has been jailed — His legacy overshadowed by $75k+ in loan fraud

“I don’t think I changed his mind” — NVIDIA CEO comments on H20 AI GPU sales resuming in China following a meeting with President Trump

Galaxy Z Fold 7 review: Six years later — Samsung finally cracks the foldable code

CVE-2025-48114 – ShayanWeb Admin FontChanger CSRF Stored XSS

CVE-2025-44658 – Netgear RAX30 PHP-FPM Misconfigured Extension Bypass Vulnerability

CVE-2025-7393 – Drupal Mail Login Authentication Bypass

Introducing AWS MCP Servers for code assistants (Part 1)

CVE-2025-52977 – Apache HTTP Server Stored XSS

DistroWatch Weekly, Issue 1130

Fostering An Accessibility Culture

CVE-2025-48063 – XWiki Remote Code Execution via Required Rights Bypass

TUXEDO Stellaris 16 Gen7: il nuovo laptop GNU/Linux con 128 GB di RAM e schermo HDR

CVE-2023-35816 – DevExpress TypeConverter Remote Code Execution Vulnerability

Microsoft Outlook goes down around the world – here’s what we know

CVE-2025-48114 – ShayanWeb Admin FontChanger CSRF Stored XSS

Related Posts