CVE-2025-48270 - SKT Blocks DOM-Based Cross-site Scripting (XSS)

CVE ID : CVE-2025-48270

Published : May 19, 2025, 3:15 p.m. | 1 hour, 13 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in sonalsinha21 SKT Blocks allows DOM-Based XSS. This issue affects SKT Blocks: from n/a through 2.2.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

CVE-2025-30159 – Kirby Path Traversal and Code Execution Vulnerability

May 13, 2025

CVE ID : CVE-2025-30159

Published : May 13, 2025, 3:15 p.m. | 1 hour, 9 minutes ago

Description : Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request or user data). Sites that only use fixed calls to the `snippet()` helper/`$kirby->snippet()` method (i.e. calls with a simple string for the snippet name) are *not* affected. A missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the snippets root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by dynamic snippet names, such as `snippet(‘tags-‘ . get(‘tags’))`. It generally also requires knowledge of the site structure and the server’s file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing. In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, Kirby maintainers have added a check for the snippet path that ensures that the resulting path is contained within the configured snippets root. Snippet paths that point outside of the snippets root will not be loaded.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

10 Top Node.js Development Companies for Enterprise-Scale Projects (2025-2026 Ranked & Reviewed)

12 Must-Know Cost Factors When Hiring Node.js Developers for Your Enterprise

Mirantis reveals Lens Prism, an AI copilot for operating Kubernetes clusters

Avoid these common platform engineering mistakes

Microsoft Gaming studios head Matt Booty says “overall portfolio strategy is unchanged” — with more than 40 games in production

Capcom reports that its Steam game sales have risen massively — despite flagship titles like Monster Hunter Wilds receiving profuse backlash from PC players

Cloudflare is fighting to safeguard “the future of the web itself” — standing directly in the way of leading AI firms

Microsoft reportedly lacks the know-how to fully leverage OpenAI’s tech — despite holding IP rights

Laravel in the First Half of 2025

Laravel in the First Half of 2025

PHP 8.5.0 Alpha 1 available for testing

Recording cross browser compatible media

GOnnect – easy to use VoIP client

GOnnect – easy to use VoIP client

Gnuinos – spin of Devuan Linux

5 Best Free and Open Source Backend Electronic Circuit Simulators

CVE-2025-48270 – SKT Blocks DOM-Based Cross-site Scripting (XSS)

Duizenden NetScaler-servers kwetsbaar voor CitrixBleed2, details snel openbaar

CVE-2025-23970 – Aonetheme Service Finder Booking Privilege Escalation

HPE OneView for VMware vCenter Allows Escalation of Privileges

U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

CVE-2025-3444 – Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus LFI Vulnerability

Rilasciato Mozilla Firefox 139: Tutte le Novità

CVE-2025-30159 – Kirby Path Traversal and Code Execution Vulnerability

eslint-plugin-mutate

Leak shows Windows 11 25H2 with Build 26200, not a big release like Windows 11 24H2?

CVE-2025-4261 – GAIR-NLP Factool Code Injection Vulnerability

CVE-2025-48270 – SKT Blocks DOM-Based Cross-site Scripting (XSS)

Related Posts