CVE-2025-4119 – Weitong Mall Product Statistics Handler Improper Access Controls

April 30, 2025

CVE ID : CVE-2025-4119

Published : April 30, 2025, 2:15 p.m. | 2 hours, 42 minutes ago

Description : A vulnerability classified as critical was found in Weitong Mall 1.0.0. This vulnerability affects unknown code of the file /queryTotal of the component Product Statistics Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Severity: 5.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-27134 – Joplin Privilege Escalation Vulnerability

Next Article CVE-2025-4121 – Netgear JWNR2000v2 Command Injection Vulnerability

Highlights

CVE-2025-43856 – Immich OAuth2 CSRF Account Hijacking Vulnerability

July 11, 2025

CVE ID : CVE-2025-43856

Published : July 11, 2025, 5:15 p.m. | 3 hours, 50 minutes ago

Description : immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it’s own, this wouldn’t be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can – for example – embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Top 15 Enterprise Use Cases That Justify Hiring Node.js Developers in 2025

The Core Model: Start FROM The Answer, Not WITH The Solution

AI-Generated Code Poses Major Security Risks in Nearly Half of All Development Tasks, Veracode Research Reveals

Understanding the code modernization conundrum

Not just YouTube: Google is using AI to guess your age based on your activity – everywhere

Malicious extensions can use ChatGPT to steal your personal data – here’s how

What Zuckerberg’s ‘personal superintelligence’ sales pitch leaves out

This handy NordVPN tool flags scam calls on Android – even before you answer

Route Optimization through Laravel’s Shallow Resource Architecture

Route Optimization through Laravel’s Shallow Resource Architecture

This Week in Laravel: Laracon News, Free Laravel Idea, and Claude Code Course

Everything We Know About Pest 4

FOSS Weekly #25.31: Kernel 6.16, OpenMandriva Review, Conky Customization, System Monitoring and More

FOSS Weekly #25.31: Kernel 6.16, OpenMandriva Review, Conky Customization, System Monitoring and More

Windows 11’s MSN Widgets board now opens in default browser, such as Chrome (EU only)

Microsoft’s new “move to Windows 11” campaign implies buying OneDrive paid plan

CVE-2025-4119 – Weitong Mall Product Statistics Handler Improper Access Controls

The hidden risks of browser extensions – and how to stay safe

Minnesota National Guard Deployed After Major Cyberattack on St. Paul City Systems

CVE-2025-48129 – Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Privilege Escalation Vulnerability

CVE-2025-7912 – A vulnerability, which was classified as critical,

Windows 10 KB5058379 fixes WSL 2, direct download .msu installer

Motherhood and Career Balance in Tech: Stories from Perficient LATAM

CVE-2025-43856 – Immich OAuth2 CSRF Account Hijacking Vulnerability

The AI Fix #47: An AI is the best computer programmer in the world

CVE-2025-53867 – Island Lake WebBatch Remote Code Execution Vulnerability

CVE-2025-6316 – Code-projects Online Shoe Store SQL Injection Vulnerability

CVE-2025-4119 – Weitong Mall Product Statistics Handler Improper Access Controls

Related Posts