Overview CVE-2025-63952 details a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Magewell Pro Convert device, specifically affecting version 1.2.213. This vulnerability resides in the /mwapi?method=add-user component and allows a remote attacker to arbitrarily create user accounts on the device. Due to the lack of proper CSRF protection, a malicious actor can craft a GET request that, when triggered by an authenticated user, will create a new account without the user’s knowledge or consent. Technical Details The vulnerability stems from the absence of CSRF tokens or other sufficient protections on the /mwapi?method=add-user endpoint. An attacker can craft a malicious HTML…

Overview CVE-2025-63435 identifies a critical security vulnerability in the Xtooltech Xtool AnyScan Android Application version 4.40.40. The vulnerability stems from a missing authentication mechanism for the server-side endpoint responsible for delivering application update packages. This lack of authentication allows any unauthenticated remote attacker to download official update packages for the application. This poses a significant security risk as it could be leveraged to deliver malicious updates to unsuspecting users. Technical Details The Xtool AnyScan application, used for vehicle diagnostics and related functions, retrieves updates from a server-side endpoint. Due to the absence of authentication requirements on this endpoint, anyone can…

Overview A severe vulnerability, identified as CVE-2025-63434, has been discovered in the Xtooltech Xtool AnyScan Android Application, versions 4.40.40 and prior. This vulnerability stems from an insecure update mechanism that allows attackers to potentially execute arbitrary code on affected devices. The application fails to properly validate the integrity and authenticity of update packages, making it susceptible to malicious updates. Technical Details The Xtool AnyScan application’s update process lacks crucial security measures. Specifically, it downloads and extracts update packages containing executable code without performing cryptographic integrity checks, such as verifying a digital signature. This absence of verification allows a malicious actor…

Overview CVE-2025-63433 identifies a critical security vulnerability affecting the Xtooltech Xtool AnyScan Android Application, specifically versions 4.40.40 and prior. This flaw stems from the use of a hardcoded cryptographic key and Initialization Vector (IV) for decrypting update metadata. This practice introduces a significant risk, allowing attackers to potentially inject malicious code into the update process, potentially compromising connected vehicles. Technical Details The Xtool AnyScan application utilizes a hardcoded key and IV to decrypt the update manifest, which dictates the source and integrity of application updates. The key is embedded directly within the application’s code as a static value. This means…

Overview CVE-2025-63432 identifies a critical security vulnerability affecting the Xtooltech Xtool AnyScan Android Application version 4.40.40 and prior. This flaw stems from a failure to properly validate the TLS certificate from the application’s update server. This lack of validation creates a significant risk, allowing attackers on the same network to conduct Man-in-the-Middle (MITM) attacks. Successfully exploiting this vulnerability can enable attackers to intercept, decrypt, and modify traffic between the app and the update server, potentially leading to Remote Code Execution (RCE) on the affected device. Technical Details The core issue lies in the Xtool AnyScan application’s inability to adequately verify…

Overview A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Openatlas, an open-source platform widely used in archaeological research. This vulnerability, tracked as CVE-2025-60917, affects versions prior to v8.12.0. It allows attackers to inject malicious scripts into the user’s browser through a crafted URL, potentially leading to unauthorized access or data compromise. Specifically, the vulnerability resides in the /overview/network/ endpoint. Technical Details The vulnerability is a reflected XSS, meaning the malicious script is embedded in a request to the server and reflected back to the user’s browser without proper sanitization. In this case, the color parameter within the /overview/network/…

Overview CVE-2025-60916 is a medium-severity reflected Cross-Site Scripting (XSS) vulnerability affecting Openatlas, an open-source platform used in archaeological research. Specifically, versions prior to v8.12.0 are susceptible. This vulnerability allows a remote attacker to inject arbitrary JavaScript code into a user’s browser session, potentially leading to data theft, session hijacking, or defacement of the application. Technical Details The vulnerability exists in the /overview/network/ endpoint of Openatlas. By crafting a malicious payload and injecting it into the charge parameter of the URL, an attacker can trigger the execution of arbitrary JavaScript code when a user clicks on the crafted link. Because the…

Overview CVE-2025-60915 describes a path traversal vulnerability found in Austrian Archaeological Institute Openatlas before version 8.12.0. Specifically, the vulnerability exists within the size query parameter of the /views/file.py script. This flaw allows attackers to potentially access sensitive files and directories on the server by crafting malicious requests. This vulnerability was published on 2025-11-24T16:15:50.727. Technical Details The vulnerability resides in how the /views/file.py script handles the size query parameter. Insufficient sanitization of this parameter allows an attacker to inject directory traversal sequences (e.g., ../) into the file path being constructed. By manipulating the size parameter, an attacker can potentially navigate outside…

Overview CVE-2025-60914 describes an incorrect access control vulnerability affecting Openatlas, a web-based application used by the Austrian Archaeological Institute and others. Specifically, versions prior to v8.12.0 are susceptible to unauthorized access of sensitive information via a crafted GET request sent to the /display_logo endpoint. This allows attackers to potentially retrieve the logo without proper authentication, which in some configurations could lead to the leakage of sensitive organizational information or internal identifiers. Technical Details The vulnerability lies in the inadequate access control mechanisms protecting the /display_logo endpoint. A malicious actor can craft a GET request directly to this endpoint, bypassing intended…

Overview A denial-of-service (DoS) vulnerability, identified as CVE-2025-60638, has been discovered in Free5GC versions 4.0.0 and 4.0.1. This vulnerability allows a remote attacker to potentially disrupt the availability of the Free5GC service by sending a specially crafted POST request to the Nnssf_NSSAIAvailability API. Technical Details The vulnerability resides in the handling of incoming POST requests to the Nnssf_NSSAIAvailability API endpoint. A maliciously crafted POST request can trigger a resource exhaustion or an unhandled exception within the Free5GC application, ultimately leading to a denial of service. The exact nature of the crafted request, while not detailed here, is available in the…