π¨ CVE-2025-21057
Use of implicit intent for sensitive communication in Samsung Notes prior to version 4.4.30.63 allows local attackers to access shared notes.
π@cveNotify
Use of implicit intent for sensitive communication in Samsung Notes prior to version 4.4.30.63 allows local attackers to access shared notes.
π@cveNotify
π¨ CVE-2025-21058
Improper access control in Routines prior to version 4.8.7.1 in Android 15 and 4.9.6.0 in Android 16 allows local attackers to potentially execute arbitrary code with SystemUI privilege.
π@cveNotify
Improper access control in Routines prior to version 4.8.7.1 in Android 15 and 4.9.6.0 in Android 16 allows local attackers to potentially execute arbitrary code with SystemUI privilege.
π@cveNotify
π¨ CVE-2025-21059
Improper authorization in Samsung Health prior to version 6.30.5.105 allows local attackers to access data in Samsung Health.
π@cveNotify
Improper authorization in Samsung Health prior to version 6.30.5.105 allows local attackers to access data in Samsung Health.
π@cveNotify
π¨ CVE-2025-21060
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access backup data from applications. User interaction is required for triggering this vulnerability.
π@cveNotify
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access backup data from applications. User interaction is required for triggering this vulnerability.
π@cveNotify
π¨ CVE-2025-21061
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access sensitive data. User interaction is required for triggering this vulnerability.
π@cveNotify
Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access sensitive data. User interaction is required for triggering this vulnerability.
π@cveNotify
π¨ CVE-2025-21062
Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.67.2 allows local attackers to replace the restoring application. User interaction is required for triggering this vulnerability.
π@cveNotify
Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.67.2 allows local attackers to replace the restoring application. User interaction is required for triggering this vulnerability.
π@cveNotify
π¨ CVE-2025-21063
Improper access control in Samsung Voice Recorder prior to version 21.5.73.12 in Android 15 and 21.5.81.40 in Android 16 allows physical attackers to access recording files on the lock screen.
π@cveNotify
Improper access control in Samsung Voice Recorder prior to version 21.5.73.12 in Android 15 and 21.5.81.40 in Android 16 allows physical attackers to access recording files on the lock screen.
π@cveNotify
π¨ CVE-2025-40646
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to β/crm/create_job_submit.phpβ, using the βJobCreatedByβ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to β/crm/create_job_submit.phpβ, using the βJobCreatedByβ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Energy CRM by Status Tracker
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Energy CRM by
π¨ CVE-2025-40640
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to β/crm/create_invoice_submit.phpβ, using the βcustomerName_0β parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to β/crm/create_invoice_submit.phpβ, using the βcustomerName_0β parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Energy CRM by Status Tracker
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Energy CRM by
π¨ CVE-2025-52655
Inclusion of Functionality from Untrusted Control Sphere vulnerability in HCL MyXalytics. v6.6
allows Loading third-party scripts without integrity checks or validation can allow external code run in the application's context, risking data exposure.
π@cveNotify
Inclusion of Functionality from Untrusted Control Sphere vulnerability in HCL MyXalytics. v6.6
allows Loading third-party scripts without integrity checks or validation can allow external code run in the application's context, risking data exposure.
π@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL MyXalytics. - Customer Support
HCL MyXalytics is affected by multiple security vulnerabilities.
β€1
π¨ CVE-2009-2620
src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2 allows remote attackers to cause a denial of service (daemon crash) via a malformed op_connect_request message that triggers an infinite loop or NULL pointer dereference.
π@cveNotify
src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2 allows remote attackers to cause a denial of service (daemon crash) via a malformed op_connect_request message that triggers an infinite loop or NULL pointer dereference.
π@cveNotify
GitHub
Possible DoS attack using the malformed packet sent into the connection port [CORE2563] Β· Issue #2973 Β· FirebirdSQL/firebird
Submitted by: @dyemanov It's possible to shutdown the server's main port (3050 by default) via sending a malformed packet of some special format, thus causing a DoS condition for new incomi...
π¨ CVE-2017-6369
Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so.
π@cveNotify
Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so.
π@cveNotify
GitHub
'Restrict UDF' is not effective, because fbudf.so is dynamically linked against libc [CORE5474] Β· Issue #5744 Β· FirebirdSQL/firebird
Submitted by: George Noseevich (webpentest) The default setting for UDF access when installing firebird 2.5.6 on linux is 'UdfAccess = Restrict UDF', which allows access to any symbols defi...
π¨ CVE-2025-25017
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
π@cveNotify
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
π@cveNotify
Discuss the Elastic Stack
Kibana 8.18.8, 8.19.4, 9.0.7, 9.1.4 Security Update (ESA-2025-16)
Kibana Cross-Site-Scripting (XSS) (ESA-2025-16) Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting (XSS) Affected Versions: 7.x: All versions from 7.0.0 and up to and includingβ¦
π¨ CVE-2025-25018
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
π@cveNotify
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
π@cveNotify
π¨ CVE-2025-30001
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
π@cveNotify
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
π@cveNotify
π¨ CVE-2025-37727
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex
π@cveNotify
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex
π@cveNotify
Discuss the Elastic Stack
Elasticsearch 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-18)
Elasticsearch Insertion of sensitive information in log file (ESA-2025-18) Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API Affectedβ¦
π¨ CVE-2025-41088
Stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add a text element in the 'Global Elements' section, and finally modify the 'Text' field in the section with the malicious payload.
π@cveNotify
Stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add a text element in the 'Global Elements' section, and finally modify the 'Text' field in the section with the malicious payload.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Xibo CMS
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Xibo CMS from
π¨ CVE-2025-41089
Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field, such as the 'Clock' widget. Next, modify the 'Configuration Name' field in the left-hand section.
π@cveNotify
Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field, such as the 'Clock' widget. Next, modify the 'Configuration Name' field in the left-hand section.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Xibo CMS
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Xibo CMS from
π¨ CVE-2025-52630
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.
π@cveNotify
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.
π@cveNotify
π¨ CVE-2025-52632
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
π@cveNotify
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
π@cveNotify
π¨ CVE-2025-52634
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.
π@cveNotify
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.
π@cveNotify