CVE-2025-46532 – Haris Zulfiqar Tooltip Cross-site Scripting (XSS)

April 24, 2025

CVE ID : CVE-2025-46532

Published : April 24, 2025, 4:15 p.m. | 2 hours, 44 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Haris Zulfiqar Tooltip allows DOM-Based XSS. This issue affects Tooltip: from n/a through 1.0.1.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-46533 – WordPress wpdrift.no Stored Cross-site Scripting (XSS)

Next Article CVE-2025-46531 – Ankur Vishwakarma WP AVCL Automation Helper SSRF Vulnerability

Highlights

CVE-2025-32441 – Rack Session Pool Session Hijacking Vulnerability

May 7, 2025

CVE ID : CVE-2025-32441

Published : May 7, 2025, 11:15 p.m. | 20 minutes ago

Description : Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests. When using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. Version 2.2.14 contains a patch for the issue. Some other mitigations are available. Either ensure the application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse; or implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.

Severity: 4.2 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

How To Prevent WordPress SQL Injection Attacks

Azul significantly cuts down on false positives in Java vulnerability detection with latest update to Azul Intelligence Cloud

The state of strategic portfolio management

Latest Harness IDP update better supports developer portals at scale

Xbox Games Showcase reveals Indiana Jones and the Great Circle to get new DLC this fall

Tony Hawk’s Pro Skater 3 + 4 demo now is available now if you preorder — Michelangelo is coming too

“The full Call of Duty package”: Black Ops 7 has been confirmed during the Xbox Games Showcase, and no, it is not an expansion

Final Fantasy VII Remake and Final Fantasy XVI are FINALLY launching for Xbox consoles — One of which is available right now!

Weather Detection System using PHP and MySQL

Weather Detection System using PHP and MySQL

Accessibility vs. Inclusive Design vs. Universal Design: Understanding the Differences

Community News: Latest PECL Releases (06.10.2025)

Xbox Games Showcase reveals Indiana Jones and the Great Circle to get new DLC this fall

Xbox Games Showcase reveals Indiana Jones and the Great Circle to get new DLC this fall

Tony Hawk’s Pro Skater 3 + 4 demo now is available now if you preorder — Michelangelo is coming too

“The full Call of Duty package”: Black Ops 7 has been confirmed during the Xbox Games Showcase, and no, it is not an expansion

CVE-2025-46532 – Haris Zulfiqar Tooltip Cross-site Scripting (XSS)

Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw

PoC Code Escalates Roundcube Vuln Threat

CVE-2025-46673 – NASA CryptoLib SDLS Protocol Bypass Vulnerability

CVE-2025-43878 – F5OS-C/A Appliance Mode Bypass Vulnerability

Competitive programming with AlphaCode

IRS open-sources Direct File tax software amid political and industry pushback – here’s why

CVE-2025-32441 – Rack Session Pool Session Hijacking Vulnerability

These OnePlus flagship earbuds were already a great deal, but now they’re $40 off

Kali Linux 2019.4 Upgrading and fixing errors | Using both GNOME and xfce

Microsoft Helps CBI Dismantle Indian Call Centers Behind Japanese Tech Support Scam

CVE-2025-46532 – Haris Zulfiqar Tooltip Cross-site Scripting (XSS)

Related Posts