🚨 CVE-2025-34186
Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Due to the binary's interpretation of non-zero exit codes as successful authentication, remote attackers can bypass authentication and gain full access to the system.
🎖@cveNotify
Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Due to the binary's interpretation of non-zero exit codes as successful authentication, remote attackers can bypass authentication and gain full access to the system.
🎖@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
🚨 CVE-2025-10360
In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.
🎖@cveNotify
In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.
🎖@cveNotify
🚨 CVE-2025-21476
Memory corruption when passing parameters to the Trusted Virtual Machine during the handshake.
🎖@cveNotify
Memory corruption when passing parameters to the Trusted Virtual Machine during the handshake.
🎖@cveNotify
🚨 CVE-2025-21481
Memory corruption while performing private key encryption in trusted application.
🎖@cveNotify
Memory corruption while performing private key encryption in trusted application.
🎖@cveNotify
🚨 CVE-2025-21483
Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs.
🎖@cveNotify
Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs.
🎖@cveNotify
🚨 CVE-2025-21484
Information disclosure when UE receives the RTP packet from the network, while decoding and reassembling the fragments from RTP packet.
🎖@cveNotify
Information disclosure when UE receives the RTP packet from the network, while decoding and reassembling the fragments from RTP packet.
🎖@cveNotify
🚨 CVE-2025-21487
Information disclosure while decoding RTP packet received by UE from the network, when payload length mentioned is greater than the available buffer length.
🎖@cveNotify
Information disclosure while decoding RTP packet received by UE from the network, when payload length mentioned is greater than the available buffer length.
🎖@cveNotify
🚨 CVE-2025-21488
Information disclosure while decoding this RTP packet headers received by UE from the network when the padding bit is set.
🎖@cveNotify
Information disclosure while decoding this RTP packet headers received by UE from the network when the padding bit is set.
🎖@cveNotify
🚨 CVE-2025-27030
information disclosure while invoking calibration data from user space to update firmware size.
🎖@cveNotify
information disclosure while invoking calibration data from user space to update firmware size.
🎖@cveNotify
🚨 CVE-2025-27032
memory corruption while loading a PIL authenticated VM, when authenticated VM image is loaded without maintaining cache coherency.
🎖@cveNotify
memory corruption while loading a PIL authenticated VM, when authenticated VM image is loaded without maintaining cache coherency.
🎖@cveNotify
🚨 CVE-2025-27033
Information disclosure while running video usecase having rogue firmware.
🎖@cveNotify
Information disclosure while running video usecase having rogue firmware.
🎖@cveNotify
🚨 CVE-2025-27036
Information disclosure when Video engine escape input data is less than expected minimum size.
🎖@cveNotify
Information disclosure when Video engine escape input data is less than expected minimum size.
🎖@cveNotify
🚨 CVE-2025-27037
Memory corruption while processing config_dev IOCTL when camera kernel driver drops its reference to CPU buffers.
🎖@cveNotify
Memory corruption while processing config_dev IOCTL when camera kernel driver drops its reference to CPU buffers.
🎖@cveNotify
🚨 CVE-2025-47315
Memory corruption while handling repeated memory unmap requests from guest VM.
🎖@cveNotify
Memory corruption while handling repeated memory unmap requests from guest VM.
🎖@cveNotify
🚨 CVE-2022-48801
In the Linux kernel, the following vulnerability has been resolved:
iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL
If we fail to copy the just created file descriptor to userland, we
try to clean up by putting back 'fd' and freeing 'ib'. The code uses
put_unused_fd() for the former which is wrong, as the file descriptor
was already published by fd_install() which gets called internally by
anon_inode_getfd().
This makes the error handling code leaving a half cleaned up file
descriptor table around and a partially destructed 'file' object,
allowing userland to play use-after-free tricks on us, by abusing
the still usable fd and making the code operate on a dangling
'file->private_data' pointer.
Instead of leaving the kernel in a partially corrupted state, don't
attempt to explicitly clean up and leave this to the process exit
path that'll release any still valid fds, including the one created
by the previous call to anon_inode_getfd(). Simply return -EFAULT to
indicate the error.
🎖@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL
If we fail to copy the just created file descriptor to userland, we
try to clean up by putting back 'fd' and freeing 'ib'. The code uses
put_unused_fd() for the former which is wrong, as the file descriptor
was already published by fd_install() which gets called internally by
anon_inode_getfd().
This makes the error handling code leaving a half cleaned up file
descriptor table around and a partially destructed 'file' object,
allowing userland to play use-after-free tricks on us, by abusing
the still usable fd and making the code operate on a dangling
'file->private_data' pointer.
Instead of leaving the kernel in a partially corrupted state, don't
attempt to explicitly clean up and leave this to the process exit
path that'll release any still valid fds, including the one created
by the previous call to anon_inode_getfd(). Simply return -EFAULT to
indicate the error.
🎖@cveNotify
🚨 CVE-2022-48803
In the Linux kernel, the following vulnerability has been resolved:
phy: ti: Fix missing sentinel for clk_div_table
_get_table_maxdiv() tries to access "clk_div_table" array out of bound
defined in phy-j721e-wiz.c. Add a sentinel entry to prevent
the following global-out-of-bounds error reported by enabling KASAN.
[ 9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148
[ 9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38
[ 9.565926]
[ 9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360
[ 9.576242] Hardware name: Texas Instruments J721e EVM (DT)
[ 9.581832] Workqueue: events_unbound deferred_probe_work_func
[ 9.587708] Call trace:
[ 9.590174] dump_backtrace+0x20c/0x218
[ 9.594038] show_stack+0x18/0x68
[ 9.597375] dump_stack_lvl+0x9c/0xd8
[ 9.601062] print_address_description.constprop.0+0x78/0x334
[ 9.606830] kasan_report+0x1f0/0x260
[ 9.610517] __asan_load4+0x9c/0xd8
[ 9.614030] _get_maxdiv+0xc0/0x148
[ 9.617540] divider_determine_rate+0x88/0x488
[ 9.622005] divider_round_rate_parent+0xc8/0x124
[ 9.626729] wiz_clk_div_round_rate+0x54/0x68
[ 9.631113] clk_core_determine_round_nolock+0x124/0x158
[ 9.636448] clk_core_round_rate_nolock+0x68/0x138
[ 9.641260] clk_core_set_rate_nolock+0x268/0x3a8
[ 9.645987] clk_set_rate+0x50/0xa8
[ 9.649499] cdns_sierra_phy_init+0x88/0x248
[ 9.653794] phy_init+0x98/0x108
[ 9.657046] cdns_pcie_enable_phy+0xa0/0x170
[ 9.661340] cdns_pcie_init_phy+0x250/0x2b0
[ 9.665546] j721e_pcie_probe+0x4b8/0x798
[ 9.669579] platform_probe+0x8c/0x108
[ 9.673350] really_probe+0x114/0x630
[ 9.677037] __driver_probe_device+0x18c/0x220
[ 9.681505] driver_probe_device+0xac/0x150
[ 9.685712] __device_attach_driver+0xec/0x170
[ 9.690178] bus_for_each_drv+0xf0/0x158
[ 9.694124] __device_attach+0x184/0x210
[ 9.698070] device_initial_probe+0x14/0x20
[ 9.702277] bus_probe_device+0xec/0x100
[ 9.706223] deferred_probe_work_func+0x124/0x180
[ 9.710951] process_one_work+0x4b0/0xbc0
[ 9.714983] worker_thread+0x74/0x5d0
[ 9.718668] kthread+0x214/0x230
[ 9.721919] ret_from_fork+0x10/0x20
[ 9.725520]
[ 9.727032] The buggy address belongs to the variable:
[ 9.732183] clk_div_table+0x24/0x440
🎖@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
phy: ti: Fix missing sentinel for clk_div_table
_get_table_maxdiv() tries to access "clk_div_table" array out of bound
defined in phy-j721e-wiz.c. Add a sentinel entry to prevent
the following global-out-of-bounds error reported by enabling KASAN.
[ 9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148
[ 9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38
[ 9.565926]
[ 9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360
[ 9.576242] Hardware name: Texas Instruments J721e EVM (DT)
[ 9.581832] Workqueue: events_unbound deferred_probe_work_func
[ 9.587708] Call trace:
[ 9.590174] dump_backtrace+0x20c/0x218
[ 9.594038] show_stack+0x18/0x68
[ 9.597375] dump_stack_lvl+0x9c/0xd8
[ 9.601062] print_address_description.constprop.0+0x78/0x334
[ 9.606830] kasan_report+0x1f0/0x260
[ 9.610517] __asan_load4+0x9c/0xd8
[ 9.614030] _get_maxdiv+0xc0/0x148
[ 9.617540] divider_determine_rate+0x88/0x488
[ 9.622005] divider_round_rate_parent+0xc8/0x124
[ 9.626729] wiz_clk_div_round_rate+0x54/0x68
[ 9.631113] clk_core_determine_round_nolock+0x124/0x158
[ 9.636448] clk_core_round_rate_nolock+0x68/0x138
[ 9.641260] clk_core_set_rate_nolock+0x268/0x3a8
[ 9.645987] clk_set_rate+0x50/0xa8
[ 9.649499] cdns_sierra_phy_init+0x88/0x248
[ 9.653794] phy_init+0x98/0x108
[ 9.657046] cdns_pcie_enable_phy+0xa0/0x170
[ 9.661340] cdns_pcie_init_phy+0x250/0x2b0
[ 9.665546] j721e_pcie_probe+0x4b8/0x798
[ 9.669579] platform_probe+0x8c/0x108
[ 9.673350] really_probe+0x114/0x630
[ 9.677037] __driver_probe_device+0x18c/0x220
[ 9.681505] driver_probe_device+0xac/0x150
[ 9.685712] __device_attach_driver+0xec/0x170
[ 9.690178] bus_for_each_drv+0xf0/0x158
[ 9.694124] __device_attach+0x184/0x210
[ 9.698070] device_initial_probe+0x14/0x20
[ 9.702277] bus_probe_device+0xec/0x100
[ 9.706223] deferred_probe_work_func+0x124/0x180
[ 9.710951] process_one_work+0x4b0/0xbc0
[ 9.714983] worker_thread+0x74/0x5d0
[ 9.718668] kthread+0x214/0x230
[ 9.721919] ret_from_fork+0x10/0x20
[ 9.725520]
[ 9.727032] The buggy address belongs to the variable:
[ 9.732183] clk_div_table+0x24/0x440
🎖@cveNotify
🚨 CVE-2025-50579
A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. This misconfiguration enables attackers to intercept tokens using a simple browser script and exfiltrate them to a remote attacker-controlled server, potentially leading to unauthorized actions within the application.
🎖@cveNotify
A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. This misconfiguration enables attackers to intercept tokens using a simple browser script and exfiltrate them to a remote attacker-controlled server, potentially leading to unauthorized actions within the application.
🎖@cveNotify
GitHub
GitHub - NginxProxyManager/nginx-proxy-manager: Docker container for managing Nginx proxy hosts with a simple, powerful interface
Docker container for managing Nginx proxy hosts with a simple, powerful interface - NginxProxyManager/nginx-proxy-manager