Overview CVE-2025-66372 describes an XML External Entity (XXE) vulnerability found in Mustang versions prior to 2.16.3. This vulnerability allows a malicious actor to potentially exfiltrate files from the system where the Mustang application is running by crafting a specially designed XML payload. While rated as a low severity issue, understanding and mitigating this risk is crucial for maintaining a secure environment. Technical Details XXE vulnerabilities occur when an XML parser processes external entities in a DTD (Document Type Definition) without proper sanitization or input validation. In the case of Mustang, a vulnerable XML parsing routine allows an attacker to define…

Overview CVE-2025-66371 identifies an XML External Entity (XXE) vulnerability present in Peppol-py versions prior to 1.1.1. This flaw allows attackers to potentially read arbitrary files from the server’s file system during XML invoice validation, potentially exposing sensitive data. This vulnerability arises from insecure configuration of the Saxon XML parser within Peppol-py. Technical Details The vulnerability stems from the Saxon XML parser’s configuration within Peppol-py. Specifically, the parser wasn’t properly configured to prevent external entity resolution. This means that when processing XML-based invoices, the parser could be tricked into resolving external entities defined within the XML document. An attacker could craft…

Overview CVE-2025-66370 identifies an XML External Entity (XXE) injection vulnerability in Kivitendo ERP versions prior to 3.9.2. This flaw allows a remote attacker to potentially read sensitive files from the server’s file system by exploiting the processing of electronic invoices in the ZUGFeRD format. By uploading a crafted, malicious ZUGFeRD invoice, an attacker can inject arbitrary XML entities that instruct the server to access and disclose local files. Technical Details The vulnerability stems from insufficient sanitization of XML input when processing ZUGFeRD invoices. ZUGFeRD is a standard format for electronic invoices in Germany that leverages XML for data representation. The…

Overview CVE-2025-64312 is a medium severity permission control vulnerability discovered in the file management module of an unspecified system. Successful exploitation of this vulnerability could lead to a breach of service confidentiality. This article provides a detailed analysis of the vulnerability, its potential impact, and recommended mitigation strategies. Technical Details The vulnerability lies in the insufficient permission checks within the file management module. An attacker could potentially manipulate file access controls to gain unauthorized access to sensitive files or directories. The specific attack vector and affected component details are currently limited but available from the reference link below. CVSS Analysis…

Overview CVE-2025-58311 is a Medium severity Use-After-Free (UAF) vulnerability affecting the USB driver module. This flaw, reported on 2025-11-28, can be exploited to compromise both the availability and confidentiality of affected systems. The vulnerability stems from improper memory management within the USB driver, leading to a situation where a program attempts to access memory after it has been freed. Technical Details The root cause of CVE-2025-58311 lies in a race condition or improper synchronization within the USB driver’s memory management routines. Specifically, a USB device disconnection or error handling routine might prematurely free a memory buffer while another part of…

Overview CVE-2025-58308 is a high-severity vulnerability discovered in the call module of certain Huawei products. This vulnerability stems from an improper criterion security check during the processing of call-related operations. Successful exploitation of this flaw can lead to unpredictable and abnormal behavior of features dependent on the affected call module. Technical Details The core issue lies within insufficient validation during the security checks within the call module. The specific details regarding the impacted Huawei products and the exploitable function calls are outlined in Huawei’s security bulletin. The lack of proper validation allows attackers to bypass intended security measures, leading to…

Overview CVE-2025-58305 is a medium severity vulnerability affecting the Gallery application. This vulnerability allows for an identity authentication bypass, potentially compromising the confidentiality of user data and services. Technical Details The specifics of the authentication bypass mechanism are detailed in the vendor’s advisory (see references). However, the core issue stems from a flaw in how the Gallery app verifies user identity before granting access to sensitive functions or data. An attacker could potentially exploit this vulnerability to gain unauthorized access without providing valid credentials. CVSS Analysis The vulnerability has been assigned a CVSS score of 6.2 (Medium). This score reflects…

Overview CVE-2025-58304 describes a permission control vulnerability identified in the file management module of a specific product. Successful exploitation of this vulnerability could potentially lead to unauthorized access and affect the confidentiality of service data. This write-up provides a detailed analysis of the vulnerability, its impact, and suggested mitigation strategies. Technical Details The vulnerability stems from inadequate permission checks within the file management module. Specifically, under certain conditions, a user with limited privileges can potentially perform actions that should be restricted to users with higher privileges. This might involve accessing, modifying, or deleting files or directories they are not authorized…

Overview CVE-2025-58302 is a high-severity permission control vulnerability discovered in the Settings module of certain Huawei devices. This vulnerability, published on 2025-11-28, could allow an attacker to bypass intended permission restrictions, potentially leading to unauthorized access and a compromise of service confidentiality. Technical Details The vulnerability stems from inadequate permission validation within the Settings module. An attacker could potentially exploit this flaw to modify sensitive system settings or access information that should be restricted to authorized users. The specific attack vector and impacted devices are detailed in the official Huawei security bulletin. Further reverse engineering and analysis are needed to…

Overview CVE-2025-13737 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Nextend Social Login and Register plugin for WordPress. This vulnerability affects all versions up to, and including, version 3.1.21. It allows an unauthenticated attacker to potentially unlink a user’s social login from their WordPress account if they can trick a site administrator into clicking a malicious link or performing other actions that trigger a forged request. Technical Details The vulnerability stems from missing or insufficient nonce validation in the unlinkUser function within the Nextend Social Login plugin. A nonce (Number used Once) is a security token used to…