π¨ CVE-2025-21048
Relative path traversal in Knox Enterprise prior to SMR Oct-2025 Release 1 allows local attackers to execute arbitrary code.
π@cveNotify
Relative path traversal in Knox Enterprise prior to SMR Oct-2025 Release 1 allows local attackers to execute arbitrary code.
π@cveNotify
π¨ CVE-2025-21049
Improper access control in SecSettings prior to SMR Oct-2025 Release 1 allows local attackers to access sensitive information. User interaction is required for triggering this vulnerability.
π@cveNotify
Improper access control in SecSettings prior to SMR Oct-2025 Release 1 allows local attackers to access sensitive information. User interaction is required for triggering this vulnerability.
π@cveNotify
π¨ CVE-2025-21050
Improper input validiation in Contacts prior to SMR Oct-2025 Release 1 allows local attackers to access data across multiple user profiles.
π@cveNotify
Improper input validiation in Contacts prior to SMR Oct-2025 Release 1 allows local attackers to access data across multiple user profiles.
π@cveNotify
π¨ CVE-2025-21051
Out-of-bounds write in the pre-processing of JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to write out-of-bounds memory.
π@cveNotify
Out-of-bounds write in the pre-processing of JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to write out-of-bounds memory.
π@cveNotify
π¨ CVE-2025-21052
Out-of-bounds write under specific condition in the pre-processing of JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to cause memory corruption.
π@cveNotify
Out-of-bounds write under specific condition in the pre-processing of JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to cause memory corruption.
π@cveNotify
π¨ CVE-2025-21053
Out-of-bounds write in the parsing header for JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to cause memory corruption.
π@cveNotify
Out-of-bounds write in the parsing header for JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to cause memory corruption.
π@cveNotify
π¨ CVE-2025-21054
Out-of-bounds read in the parsing header for JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to potentially access out-of-bounds memory.
π@cveNotify
Out-of-bounds read in the parsing header for JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to potentially access out-of-bounds memory.
π@cveNotify
π¨ CVE-2025-21055
Out-of-bounds read and write in libimagecodec.quram.so prior to SMR Oct-2025 Release 1 allows remote attackers to access out-of-bounds memory.
π@cveNotify
Out-of-bounds read and write in libimagecodec.quram.so prior to SMR Oct-2025 Release 1 allows remote attackers to access out-of-bounds memory.
π@cveNotify
π¨ CVE-2025-21057
Use of implicit intent for sensitive communication in Samsung Notes prior to version 4.4.30.63 allows local attackers to access shared notes.
π@cveNotify
Use of implicit intent for sensitive communication in Samsung Notes prior to version 4.4.30.63 allows local attackers to access shared notes.
π@cveNotify
π¨ CVE-2025-21058
Improper access control in Routines prior to version 4.8.7.1 in Android 15 and 4.9.6.0 in Android 16 allows local attackers to potentially execute arbitrary code with SystemUI privilege.
π@cveNotify
Improper access control in Routines prior to version 4.8.7.1 in Android 15 and 4.9.6.0 in Android 16 allows local attackers to potentially execute arbitrary code with SystemUI privilege.
π@cveNotify
π¨ CVE-2025-21059
Improper authorization in Samsung Health prior to version 6.30.5.105 allows local attackers to access data in Samsung Health.
π@cveNotify
Improper authorization in Samsung Health prior to version 6.30.5.105 allows local attackers to access data in Samsung Health.
π@cveNotify
π¨ CVE-2025-21060
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access backup data from applications. User interaction is required for triggering this vulnerability.
π@cveNotify
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access backup data from applications. User interaction is required for triggering this vulnerability.
π@cveNotify
π¨ CVE-2025-21061
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access sensitive data. User interaction is required for triggering this vulnerability.
π@cveNotify
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access sensitive data. User interaction is required for triggering this vulnerability.
π@cveNotify
π¨ CVE-2025-21062
Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.67.2 allows local attackers to replace the restoring application. User interaction is required for triggering this vulnerability.
π@cveNotify
Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.67.2 allows local attackers to replace the restoring application. User interaction is required for triggering this vulnerability.
π@cveNotify
π¨ CVE-2025-21063
Improper access control in Samsung Voice Recorder prior to version 21.5.73.12 in Android 15 and 21.5.81.40 in Android 16 allows physical attackers to access recording files on the lock screen.
π@cveNotify
Improper access control in Samsung Voice Recorder prior to version 21.5.73.12 in Android 15 and 21.5.81.40 in Android 16 allows physical attackers to access recording files on the lock screen.
π@cveNotify
π¨ CVE-2025-40646
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to β/crm/create_job_submit.phpβ, using the βJobCreatedByβ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to β/crm/create_job_submit.phpβ, using the βJobCreatedByβ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Energy CRM by Status Tracker
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Energy CRM by
π¨ CVE-2025-40640
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to β/crm/create_invoice_submit.phpβ, using the βcustomerName_0β parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to β/crm/create_invoice_submit.phpβ, using the βcustomerName_0β parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Energy CRM by Status Tracker
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Energy CRM by
π¨ CVE-2025-52655
Inclusion of Functionality from Untrusted Control Sphere vulnerability in HCL MyXalytics. v6.6
allows Loading third-party scripts without integrity checks or validation can allow external code run in the application's context, risking data exposure.
π@cveNotify
Inclusion of Functionality from Untrusted Control Sphere vulnerability in HCL MyXalytics. v6.6
allows Loading third-party scripts without integrity checks or validation can allow external code run in the application's context, risking data exposure.
π@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL MyXalytics. - Customer Support
HCL MyXalytics is affected by multiple security vulnerabilities.
β€1
π¨ CVE-2009-2620
src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2 allows remote attackers to cause a denial of service (daemon crash) via a malformed op_connect_request message that triggers an infinite loop or NULL pointer dereference.
π@cveNotify
src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2 allows remote attackers to cause a denial of service (daemon crash) via a malformed op_connect_request message that triggers an infinite loop or NULL pointer dereference.
π@cveNotify
GitHub
Possible DoS attack using the malformed packet sent into the connection port [CORE2563] Β· Issue #2973 Β· FirebirdSQL/firebird
Submitted by: @dyemanov It's possible to shutdown the server's main port (3050 by default) via sending a malformed packet of some special format, thus causing a DoS condition for new incomi...
π¨ CVE-2017-6369
Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so.
π@cveNotify
Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so.
π@cveNotify
GitHub
'Restrict UDF' is not effective, because fbudf.so is dynamically linked against libc [CORE5474] Β· Issue #5744 Β· FirebirdSQL/firebird
Submitted by: George Noseevich (webpentest) The default setting for UDF access when installing firebird 2.5.6 on linux is 'UdfAccess = Restrict UDF', which allows access to any symbols defi...
π¨ CVE-2025-25017
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
π@cveNotify
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
π@cveNotify
Discuss the Elastic Stack
Kibana 8.18.8, 8.19.4, 9.0.7, 9.1.4 Security Update (ESA-2025-16)
Kibana Cross-Site-Scripting (XSS) (ESA-2025-16) Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting (XSS) Affected Versions: 7.x: All versions from 7.0.0 and up to and includingβ¦