Tag: sql
-
Critical Flaw in ADOdb SQLite3 Driver Allows Arbitrary SQL Execution
A critical security vulnerability has been discovered in the popular ADOdb PHP database abstraction library that could allow attackers to execute arbitrary SQL statements, posing significant risks to applications using SQLite3 databases. The flaw, designated as CVE-2025-54119, affects all versions of ADOdb up to and including 5.22.9. Field Details CVE ID CVE-2025-54119 Vulnerability Type SQL…
-
OWASP LLM Risk #5: Improper Output Handling FireTail Blog
Tags: ai, application-security, attack, awareness, cyber, detection, email, injection, LLM, mitigation, monitoring, phishing, remote-code-execution, risk, sql, strategy, threat, vulnerabilityAug 04, 2025 – Lina Romero – 2025 is seeing an unprecedented surge of cyber attacks and breaches. AI, in particular, has introduced a whole new set of risks to the landscape and researchers are struggling to keep up. The OWASP Top 10 Risks for LLMs goes into detail about the ten most prevalent risks…
-
How bright are AI agents? Not very, recent reports suggest
CSOs should ‘skip the fluff’: Meghu’s advice to CSOs: Stop reading the marketing and betting too much of your business on AI/LLM technology as it exists today. Start small and always have a human operator to guide it.”If you skip the fluff and get to the practical application, we have a new technology that could…
-
PHP PDO Flaw Allows Attackers to Inject Malicious SQL Commands
A critical vulnerability in PHP’s widely-used PDO (PHP Data Objects) library has been discovered that enables attackers to inject malicious SQL commands even when developers implement prepared statements correctly. The security flaw, revealed through analysis of a DownUnderCTF capture-the-flag challenge, exploits weaknesses in PDO’s SQL parser and affects millions of web applications worldwide. Technical Overview…
-
Week in review: Google fixes zero-day vulnerability in Chrome, critical SQL injection flaw in FortiWeb
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Update Google Chrome to fix actively exploited zero-day (CVE-2025-6558) For … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/07/20/week-in-review-google-fixes-zero-day-vulnerability-in-chrome-critical-sql-injection-flaw-in-fortiweb/
-
Exploits for unauthenticated FortiWeb RCE are public, so patch quickly! (CVE-2025-25257)
With two proof-of-concept (PoC) exploits made public late last week, CVE-2025-25257 a critical SQL command injection vulnerability in Fortinet’s FortiWeb web … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/07/14/exploits-for-unauthenticated-fortiweb-rce-are-public-so-patch-quickly-cve-2025-25257/
-
Critical Vulnerability Exposes Fortinet FortiWeb to Full Takeover (CVE-2025-25257)
WatchTowr Labs reveals CVE-2025-25257, a critical FortiWeb SQL injection allowing unauthenticated remote code execution. Patch your FortiWeb 7.0,… First seen on hackread.com Jump to article: hackread.com/critical-vulnerability-fortinet-fortiweb-cve-2025-25257/
-
Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances.Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.”An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89]…
-
SQL Injection Prevention: 6 Ways to Protect Your Stack
SQL injection is a code injection technique that can expose your data. Learn 5 proven tactics to prevent attacks and secure your applications. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/how-to-prevent-sql-injection-attacks/
-
Microsoft Patch Tuesday addresses 130 vulnerabilities, none actively exploited
Researchers are especially concerned about a high-severity defect in SQL Server and a critical vulnerability in SPNEGO, a foundational protocol. First seen on cyberscoop.com Jump to article: cyberscoop.com/microsoft-patch-tuesday-july-2025/
-
Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day
Microsoft released Patch Tuesday security updates for July 2025, which addressed 130 flaws, including one a Microsoft SQL Server zero-day. Microsoft Patch Tuesday security updates for July 2025 addressed 130 vulnerabilities in Windows and Windows Components, Office and Office Components, .NET and Visual Studio, Azure, Teams, Hyper-V, Windows BitLocker, Microsoft Edge (Chromium-based), and the Windows…
-
Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server
For the first time in 2025, Microsoft’s Patch Tuesday updates did not bundle fixes for exploited security vulnerabilities, but the company acknowledged one of the addressed flaws had been publicly known.The patches resolve a whopping 130 vulnerabilities, along with 10 other non-Microsoft CVEs that affect Visual Studio, AMD, and its Chromium-based Edge browser. Of these…
-
Microsoft July 2025 Patch Tuesday fixes one zero-day, 137 flaws
Today is Microsoft’s July 2025 Patch Tuesday, which includes security updates for 137 flaws, including one publicly disclosed zero-day vulnerability in Microsoft SQL Server. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/microsoft/microsoft-july-2025-patch-tuesday-fixes-one-zero-day-137-flaws/
-
Multiple PHP Vulnerabilities Enables SQLi and DoS Attacks Update Now
Security researchers have disclosed two significant vulnerabilities in PHP, the popular server-side scripting language, that could allow attackers to launch SQL injection (SQLi) and Denial of Service (DoS) attacks. According to the report, Administrators and developers are urged to update their PHP installations immediately to mitigate these risks. CVE ID Component Severity Affected Versions Patched…
-
Pro-Iranian Hacktivist Group Leaks Personal Records from the 2024 Saudi Games
Thousands of personal records allegedly linked to athletes and visitors of the Saudi Games have been published online by a pro-Iranian hacktivist group called Cyber Fattah.Cybersecurity company Resecurity said the breach was announced on Telegram on June 22, 2025, in the form of SQL database dumps, characterizing it as an information operation “carried out by…
-
Cyberattacks on Humanitarian Orgs Jump Worldwide
These groups suffered three times the cyberattacks as the year previous, with DDoS attacks dominating and vulnerability scans and SQL injection also more common. First seen on darkreading.com Jump to article: www.darkreading.com/cyberattacks-data-breaches/attacks-humanitarian-orgs-jump-worldwide
-
Double Dash, Double Trouble: A Subtle SQL Injection Flaw
Can a simple dash character introduce a security risk? Discover how SQL line comments can open the door to unexpected injection vulnerabilities in several PostgreSQL client libraries! First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/06/double-dash-double-trouble-a-subtle-sql-injection-flaw/
-
Ivanti Workspace Control hardcoded key flaws expose SQL credentials
Ivanti has released security updates to fix three high-severity hardcoded key vulnerabilities in the company’s Workspace Control (IWC) solution. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/ivanti-workspace-control-hardcoded-key-flaws-expose-sql-credentials/
-
Dumping Entra Connect Sync Credentials
Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials; however, attackers can still take advantage of an Entra Connect sync account compromise and gain new opportunities that arise from the changes. How It Used To Work…
-
Web Application Firewall (WAF) Best Practices For Optimal Security
Web and mobile application code protection is a must-have security control. Modern solutions such as application layer firewall help your organisation to keep those assets protected from threats like SQL injection, cross-site scripting and bot-driven attacks. This is where a Web Application Firewall (WAF) comes into the picture. A WAF has the capability of filtering,……
-
‘Earth Lamia’ Exploits Known SQL, RCE Bugs Across Asia
A highly active Chinese threat group is taking proverbial candy from babies, exploiting known bugs in exposed servers to steal data from organizations in sensitive sectors. First seen on darkreading.com Jump to article: www.darkreading.com/threat-intelligence/earth-lamia-exploits-sql-rce-bugs-asia
-
China-Linked Hackers Exploit SAP and SQL Server Flaws in Attacks Across Asia and Brazil
The China-linked threat actor behind the recent in-the-wild exploitation of a critical security flaw in SAP NetWeaver has been attributed to a broader set of attacks targeting organizations in Brazil, India, and Southeast Asia since 2023.”The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted…
-
Earth Lamia Hackers Exploits Vulnerabilities in Web Applications to Attack Multiple Industries
Cybersecurity researchers at Trend Research have uncovered the aggressive operations of Earth Lamia, an Advanced Persistent Threat (APT) group with a China-nexus, targeting organizations across Brazil, India, and Southeast Asia since 2023. This threat actor has demonstrated a sophisticated approach to cyber intrusions by exploiting SQL injection vulnerabilities in web applications to infiltrate SQL servers…