CVE-2025-66384
app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name. More information : https://github.com/MISP/MISP/compare/v2.5.23…v2.5.24
Tagged: Cybersecurity Alert
CVE-2025-66385
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields...
CVE-2025-66386
app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. More information : https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce
CVE-2025-66382
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. More information : https://github.com/libexpat/libexpat/issues/1076
CVE-2025-66370
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server’s filesystem. More information : https://blog.kivitendo.de/?p=1415
CVE-2025-66371
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host. More information...
CVE-2025-66372
Mustang before 2.16.3 allows exfiltrating files via XXE attacks. More information : https://github.com/ZUGFeRD/mustangproject/issues/685
CVE-2025-58308
Vulnerability of improper criterion security check in the call module. Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. More information : https://consumer.huawei.com/en/support/bulletin/2025/11/
CVE-2025-58311
UAF vulnerability in the USB driver module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. More information : https://consumer.huawei.com/en/support/bulletin/2025/11/
CVE-2025-64312
Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. More information : https://consumer.huawei.com/en/support/bulletin/2025/11/
CVE-2025-13737
The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the...
CVE-2025-58302
Permission control vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. More information : https://consumer.huawei.com/en/support/bulletin/2025/11/
CVE-2025-58304
Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. More information : https://consumer.huawei.com/en/support/bulletin/2025/11/
CVE-2025-58305
Identity authentication bypass vulnerability in the Gallery app. Impact: Successful exploitation of this vulnerability may affect service confidentiality. More information : https://consumer.huawei.com/en/support/bulletin/2025/11/