π¨ CVE-2025-25017
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
π@cveNotify
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
π@cveNotify
Discuss the Elastic Stack
Kibana 8.18.8, 8.19.4, 9.0.7, 9.1.4 Security Update (ESA-2025-16)
Kibana Cross-Site-Scripting (XSS) (ESA-2025-16) Improper Neutralization of Input During Web Page Generation in Vega visualizations in Kibana can lead to Cross-Site-Scripting (XSS) Affected Versions: 7.x: All versions from 7.0.0 and up to and includingβ¦
π¨ CVE-2025-25018
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
π@cveNotify
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
π@cveNotify
π¨ CVE-2025-30001
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
π@cveNotify
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
π@cveNotify
π¨ CVE-2025-37727
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex
π@cveNotify
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex
π@cveNotify
Discuss the Elastic Stack
Elasticsearch 8.18.8, 8.19.5, 9.0.8, 9.1.5 Security Update (ESA-2025-18)
Elasticsearch Insertion of sensitive information in log file (ESA-2025-18) Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API Affectedβ¦
π¨ CVE-2025-41088
Stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add a text element in the 'Global Elements' section, and finally modify the 'Text' field in the section with the malicious payload.
π@cveNotify
Stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add a text element in the 'Global Elements' section, and finally modify the 'Text' field in the section with the malicious payload.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Xibo CMS
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Xibo CMS from
π¨ CVE-2025-41089
Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field, such as the 'Clock' widget. Next, modify the 'Configuration Name' field in the left-hand section.
π@cveNotify
Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field, such as the 'Clock' widget. Next, modify the 'Configuration Name' field in the left-hand section.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Xibo CMS
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Xibo CMS from
π¨ CVE-2025-52630
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.
π@cveNotify
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.
π@cveNotify
π¨ CVE-2025-52632
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
π@cveNotify
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
π@cveNotify
π¨ CVE-2025-52634
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.
π@cveNotify
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.
π@cveNotify
π¨ CVE-2025-52650
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0
π@cveNotify
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0
π@cveNotify
π¨ CVE-2025-11188
The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database.
π@cveNotify
The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database.
π@cveNotify
Synchrowebtechnology
Wi-Fi Solution Technology Leader
Wi-Fi and wireless network solutions provider based in Malaysia. With up to 21 years of experience, our services have helped customers around the world with cost-effective products, a professional approach, and reliable support.
π¨ CVE-2025-11189
The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for Javascript execution.
π@cveNotify
The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for Javascript execution.
π@cveNotify
Synchrowebtechnology
Wi-Fi Solution Technology Leader
Wi-Fi and wireless network solutions provider based in Malaysia. With up to 21 years of experience, our services have helped customers around the world with cost-effective products, a professional approach, and reliable support.
π¨ CVE-2025-11190
The Kiwire Captive Portal contains an open redirection issue via the login-url parameter, allowing an attacker to redirect users to an attacker controlled website.
π@cveNotify
The Kiwire Captive Portal contains an open redirection issue via the login-url parameter, allowing an attacker to redirect users to an attacker controlled website.
π@cveNotify
Synchrowebtechnology
Wi-Fi Solution Technology Leader
Wi-Fi and wireless network solutions provider based in Malaysia. With up to 21 years of experience, our services have helped customers around the world with cost-effective products, a professional approach, and reliable support.
π¨ CVE-2025-52624
A vulnerability Bypass of the script allowlist configuration in HCL AION.
An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0.
π@cveNotify
A vulnerability Bypass of the script allowlist configuration in HCL AION.
An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0.
π@cveNotify
π¨ CVE-2025-52625
A vulnerability
Cacheable SSL Page Found vulnerability has been identified
in HCL AION.
Cached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser
This issue affects AION: 2.0.
π@cveNotify
A vulnerability
Cacheable SSL Page Found vulnerability has been identified
in HCL AION.
Cached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser
This issue affects AION: 2.0.
π@cveNotify
π¨ CVE-2025-52635
A
rusted types in scripts not enforced in CSP vulnerability has been identified
in HCL AION.This issue affects AION: 2.0.
π@cveNotify
A
rusted types in scripts not enforced in CSP vulnerability has been identified
in HCL AION.This issue affects AION: 2.0.
π@cveNotify
π¨ CVE-2025-40627
Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/eyes?
[XSS_PAYLOAD]".
π@cveNotify
Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/eyes?
[XSS_PAYLOAD]".
π@cveNotify
www.incibe.es
Reflected Cross-Site Scripting (XSS) in AbanteCart
INCIBE has coordinated the publication of 2 medium severity vulnerabilities affecting AbanteCart, an e
π¨ CVE-2025-62237
Stored cross-site scripting (XSS) vulnerability in Commerceβs view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Accountβs βNameβ text field.
π@cveNotify
Stored cross-site scripting (XSS) vulnerability in Commerceβs view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Accountβs βNameβ text field.
π@cveNotify
π¨ CVE-2025-62238
Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into a Account's βNameβ text field.
π@cveNotify
Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into a Account's βNameβ text field.
π@cveNotify
π¨ CVE-2025-62239
Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow definition.
π@cveNotify
Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow definition.
π@cveNotify
π¨ CVE-2024-43831
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Handle invalid decoder vsi
Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi
is valid for future use.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Handle invalid decoder vsi
Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi
is valid for future use.
π@cveNotify