Krayin CRM 2.2.0 - Authenticated Arbitrary File Upload to RCE
Krayin CRM 2.2.0 ships a TinyMCE media-upload endpoint that accepts any file extension and stores the result on a publicly served Laravel disk
Krayin CRM 2.2.0 - Authenticated Blind SQL Injection in Leads DataGrid
Krayin CRM 2.2.0 contains an authenticated blind time-based SQL injection in the Leads DataGrid. The `rotten_lead[in]` request parameter is concatenated directly into a `havingRaw()` expression without parameter binding, exposing the database to byte-by-byte extraction by any authenticated staff user
Krayin CRM 2.2.0 - Cross-User IDOR Across Lead, Contact, and Activity Controllers
Authenticated cross user idor vulnerability has been identified in Webkul's Krain CRM 2.2.0.
Blind SQL Injection in Perfex CRM 3.4.1
Perfex CRM 3.4.1 pastes the `sort_by` request parameter directly into an ORDER BY clause with CodeIgniter's identifier escaping disabled. Any staff account — admin flag not required, zero role permissions is enough — can exploit this blind time-based SQL injection to read the entire application database, including the bcrypt-wrapped phpass hashes in `tblstaff.password`.
Perfex CRM 3.4.1 Cross-Tenant IDOR Vulnerability
Introducing Bytium Active: Digital Presence Health for Your Business
Bytium Active is a continuous monitoring product that watches the state of your business online — what's exposed, what's expiring, what looks broken, and what you'll need when a customer or insurer asks. Here's why we built it, what it does today, and what's coming next.
Security Isn't a Task. It's a System
Most organizations don’t fail at security because they don’t care. They fail because security is treated as something you do, not something you run.
Stored XSS in Perfex CRM 3.2.1 Contracts Module
Stored XSS in Perfex CRM 3.2.1 project discussions allows authenticated clients to inject JavaScript that runs for other users.
Stored Cross-Site Scripting in Perfex CRM 3.2.1 Project Discussions
Stored XSS in Perfex CRM 3.2.1 project discussions allows authenticated clients to inject JavaScript that runs for other users.
Why 13,000 WordPress Sites Get Hacked Daily and How to Stop It
WordPress isn’t “insecure by default”, but outdated plugins, weak configs, and sloppy access control make it an easy target. Here’s how attacks happen and what to do.