π¨ CVE-2022-49745
In the Linux kernel, the following vulnerability has been resolved:
fpga: m10bmc-sec: Fix probe rollback
Handle probe error rollbacks properly to avoid leaks.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
fpga: m10bmc-sec: Fix probe rollback
Handle probe error rollbacks properly to avoid leaks.
π@cveNotify
π¨ CVE-2023-52996
In the Linux kernel, the following vulnerability has been resolved:
ipv4: prevent potential spectre v1 gadget in fib_metrics_match()
if (!type)
continue;
if (type > RTAX_MAX)
return false;
...
fi_val = fi->fib_metrics->metrics[type - 1];
@type being used as an array index, we need to prevent
cpu speculation or risk leaking kernel memory content.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
ipv4: prevent potential spectre v1 gadget in fib_metrics_match()
if (!type)
continue;
if (type > RTAX_MAX)
return false;
...
fi_val = fi->fib_metrics->metrics[type - 1];
@type being used as an array index, we need to prevent
cpu speculation or risk leaking kernel memory content.
π@cveNotify
π¨ CVE-2023-52997
In the Linux kernel, the following vulnerability has been resolved:
ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()
if (!type)
continue;
if (type > RTAX_MAX)
return -EINVAL;
...
metrics[type - 1] = val;
@type being used as an array index, we need to prevent
cpu speculation or risk leaking kernel memory content.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()
if (!type)
continue;
if (type > RTAX_MAX)
return -EINVAL;
...
metrics[type - 1] = val;
@type being used as an array index, we need to prevent
cpu speculation or risk leaking kernel memory content.
π@cveNotify
π¨ CVE-2023-53000
In the Linux kernel, the following vulnerability has been resolved:
netlink: prevent potential spectre v1 gadgets
Most netlink attributes are parsed and validated from
__nla_validate_parse() or validate_nla()
u16 type = nla_type(nla);
if (type == 0 || type > maxtype) {
/* error or continue */
}
@type is then used as an array index and can be used
as a Spectre v1 gadget.
array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.
This should take care of vast majority of netlink uses,
but an audit is needed to take care of others where
validation is not yet centralized in core netlink functions.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
netlink: prevent potential spectre v1 gadgets
Most netlink attributes are parsed and validated from
__nla_validate_parse() or validate_nla()
u16 type = nla_type(nla);
if (type == 0 || type > maxtype) {
/* error or continue */
}
@type is then used as an array index and can be used
as a Spectre v1 gadget.
array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.
This should take care of vast majority of netlink uses,
but an audit is needed to take care of others where
validation is not yet centralized in core netlink functions.
π@cveNotify
π¨ CVE-2023-53004
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix tmpfile leak
Missed an error cleanup.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix tmpfile leak
Missed an error cleanup.
π@cveNotify
π¨ CVE-2025-59194
Use of uninitialized resource in Windows Kernel allows an authorized attacker to elevate privileges locally.
π@cveNotify
Use of uninitialized resource in Windows Kernel allows an authorized attacker to elevate privileges locally.
π@cveNotify
π¨ CVE-2025-59195
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to deny service locally.
π@cveNotify
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to deny service locally.
π@cveNotify
π¨ CVE-2025-59196
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.
π@cveNotify
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.
π@cveNotify
π¨ CVE-2025-59197
Insertion of sensitive information into log file in Windows ETL Channel allows an authorized attacker to disclose information locally.
π@cveNotify
Insertion of sensitive information into log file in Windows ETL Channel allows an authorized attacker to disclose information locally.
π@cveNotify
π¨ CVE-2025-59198
Improper input validation in Microsoft Windows Search Component allows an authorized attacker to deny service locally.
π@cveNotify
Improper input validation in Microsoft Windows Search Component allows an authorized attacker to deny service locally.
π@cveNotify
π¨ CVE-2025-59199
Improper access control in Software Protection Platform (SPP) allows an authorized attacker to elevate privileges locally.
π@cveNotify
Improper access control in Software Protection Platform (SPP) allows an authorized attacker to elevate privileges locally.
π@cveNotify
π¨ CVE-2025-59250
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.
π@cveNotify
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.
π@cveNotify
π¨ CVE-2025-10869
Stored Cross-site Scripting (XSS) in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through /Data/SaveInteractions.
π@cveNotify
Stored Cross-site Scripting (XSS) in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through /Data/SaveInteractions.
π@cveNotify
www.incibe.es
[Update 20/10/2025] Stored Cross-Site Scripting (XSS) in Oct8ne Chatbot
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Oct8ne Chatbot
π¨ CVE-2025-62490
In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms->records list, but once again, elements could be removed from the list during js_print_value call.
π@cveNotify
In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms->records list, but once again, elements could be removed from the list during js_print_value call.
π@cveNotify
π¨ CVE-2025-62491
A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list).
* The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.
* The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp->reason).
* If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.
* The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.
* Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.
* Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition.
π@cveNotify
A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list).
* The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.
* The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp->reason).
* If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.
* The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.
* Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.
* Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition.
π@cveNotify
π¨ CVE-2025-62710
Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a nonβcryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or atβrest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.
π@cveNotify
Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a nonβcryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or atβrest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.
π@cveNotify
GitHub
SAK-49866 use commons-text for generation Β· sakaiproject/sakai@bde0701
use SecureRandom
(cherry picked from commit baea15177800d796346e94cea5db1276ad0b58ba)
(cherry picked from commit baea15177800d796346e94cea5db1276ad0b58ba)
π¨ CVE-2025-41073
Path Traversal vulnerability in version 4.4.2236.1 of TESI Gandia Integra Total. This issue allows an authenticated attacker to download a ZIP file containing files from the server, including those located in parent directories (e.g., ..\..\..), by exploiting the βdirestudioβ parameter in β/encuestas/integraweb[_v4]/integra/html/view/comprimir.phpβ.
π@cveNotify
Path Traversal vulnerability in version 4.4.2236.1 of TESI Gandia Integra Total. This issue allows an authenticated attacker to download a ZIP file containing files from the server, including those located in parent directories (e.g., ..\..\..), by exploiting the βdirestudioβ parameter in β/encuestas/integraweb[_v4]/integra/html/view/comprimir.phpβ.
π@cveNotify
www.incibe.es
Path Traversal in Gandia Integra Total by TESI
INCIBE has coordinated the publication of a high-severity vulnerability affecting Gandia Integra Total
π¨ CVE-2025-61464
gnuboard gnuboard4 v4.36.04 and before is vulnerable to Second-order SQL Injection via the search_table in bbs/search.php.
π@cveNotify
gnuboard gnuboard4 v4.36.04 and before is vulnerable to Second-order SQL Injection via the search_table in bbs/search.php.
π@cveNotify
GitHub
Second-order SQL Injection via variable pollution of search_table (identifier injection) in bbs/search.php Β· Issue #1 Β· gnuboard/gnuboard4
Issue Content Affected file: bbs/search.php Vulnerability: Variable pollution + second-order SQL injection (identifier position) Severity: High (exfiltration of sensitive data, logic bypass) Descri...
π¨ CVE-2023-41265
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
π@cveNotify
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
π@cveNotify
Qlik
Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265)
Executive Summary Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. If the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server runningβ¦
π¨ CVE-2025-1731
An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.
π@cveNotify
An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.
π@cveNotify
Zyxel
Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H seriesβ¦
CVEs: CVE-2025-1731, CVE-2025-1732 Summary Zyxel has released patches to address incorrect permission assignment and improper privilege management vulnerabilities in the USG FLEX H series firewalls. Users are advised to install them for optimal protection.β¦
π¨ CVE-2025-1732
An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.
π@cveNotify
An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.
π@cveNotify
Zyxel
Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H seriesβ¦
CVEs: CVE-2025-1731, CVE-2025-1732 Summary Zyxel has released patches to address incorrect permission assignment and improper privilege management vulnerabilities in the USG FLEX H series firewalls. Users are advised to install them for optimal protection.β¦