Cve on less on sec

CVE-2025-65396: SPI Fault Enables Bootloader Access and Firmware Dump in Blurams Flare Camera

Wed, 14 Jan 2026 00:00:00 +0200

A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. This is achieved by inducing a read error from the SPI flash memory during the boot, by shorting a data pin of the IC to ground. An attacker can then dump the entire firmware, leading to the disclosure of sensitive information including cryptographic keys and user configurations.

Vendor applied patches for the issue in software version 25.1119.177.2341.

Disclosure timeline

23/09/2025 First contacted with vendor
08/10/2025 Vulnerability report submitted to vendor
11/10/2025 Vulnerabilities confirmed
31/10/2025 Requested CVE IDs
29/11/2025 CVE IDs Reserverd
14/01/2026 Disclosure

CVE-2025-65397: Insecure Startup Script Allows Root Command Execution in Blurams Flare Camera

Wed, 14 Jan 2026 00:00:00 +0200

An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. The vulnerability can be triggered by providing a maliciously crafted auth.ini file on the device’s SD card.

Vendor applied patches for the issue in software version 25.1119.177.2341.

Disclosure timeline

CVE-2024-29019: Authentication Bypass via Cross Site Request Forgery in ESPhome

Wed, 20 Mar 2024 10:26:46 +0200

CVE-2024-27287: Cross-site Scripting (Stored) in ESPHome

Tue, 05 Mar 2024 10:26:46 +0200

CVE-2024-27081: Remote Code Execution via Arbitrary File Write in ESPHome

Sun, 25 Feb 2024 10:26:46 +0200

CVE-2023-27216: OS Command Injection Culnerability in D-Link DSL-3782

Tue, 11 Apr 2023 06:00:00 +0200

An issue found in D-Link DSL-3782 v.1.03 allows remote authenticated users to execute arbitrary code as root via OS command injection in multiple setting pages.

Settings known to be affected by this issues are:

Subnet mask fields in network configuration
Remote log server IP field in logging configuration
Every field in port forwarding configuration
Every field in static routes configuration

The input provided by the user is insufficiently sanitized by the server, so bypassing the client-checks it is possible to inject arbitrary strings directly into .sh scripts. Depending on the affected field, the maximum payload length allowed will be different. Generally speaking, it is possible to inject between 15 and 50 characters.

To exploit CVE-2023-27216 an attacker with remote access to the web interface of the D-Link DSL-3782 needs to inject a malicious payload into one of the affected fields. An example of working payload is: ; ping example.org #.

I contacted D-Link two times regarding this issue and received no response. The issue has been disclosed 60 days after the first contact with the vendor.

Disclosure timeline

11/02/2023 - First contact with vendor
23/02/2023 - CVE ID request
21/03/2023 - CVE ID reserved
21/03/2023 - Second contact with vendor
11/04/2023 - Public disclosure

CVE-2022-44900: Path Traversal Vulnerability in py7zr

Tue, 06 Dec 2022 22:19:25 +0100

Directory traversal vulnerability in SevenZipFile.extractall() function of the python library py7zr version 0.20.0 and earlier allow attackers to read and write arbitrary files on the local machine via malicious 7z file extraction.

To exploit CVE-2022-44900 vulnerability an attacker needs to create a malicious 7z archive containing a symlink to achieve an arbitrary file read and a file with a path traversal payload as name to achieve an arbitrary file write.

Exploiting

The script used for tests is the following:

import py7zr
import click

@click.command()
@click.argument("filename")

def main_procedure(filename):
	with py7zr.SevenZipFile(filename, 'r') as archive:
	    archive.extractall()
	
main_procedure()

The vulnerable function targeted is py7zr.SevenZipFile.extractall().

A lab setup has been built to test for vulnerabilities. Directories structured as follow were used:

├── start_point
│   ├── archive.7z
│   └── py7zr_test.py
└── target
    ├── write
    └── read

The start_point directory contains the script used for tests and the malicious archive containing the path traversal payload in the form of the filename of an archived file.

To achieve an arbitrary file write, one of the files in the archives needs to have ../target/write set as name. The content of the file will be written into target/write.

In a similar way, to achieve an arbitrary file read, a symlink pointing to ../target/read needs to be present in the archive. When extracted the symlink will consist of the content of target/read.

Disclosure timeline

29/10/2022 - Maintainer was notified privately of the vulnerabilities
30/10/2022 - Response from maintainer
01/11/2022 - Release of patched version 0.20.1
01/11/2022 - CVE ID request
06/12/2022 - CVE ID obtained
06/12/2022 - Public disclosure