CVE-2014-2025
published 2020-01-31CVE-2014-2025: Unrestricted file upload vulnerability in an unspecified third party tool in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.97%
89.2th percentile
Unrestricted file upload vulnerability in an unspecified third party tool in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unknown vectors.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 3.18.0 < 5.10.248 | 5.10.248 |
| linux | linux_kernel | >= 5.11.0 < 5.15.198 | 5.15.198 |
| linux | linux_kernel | >= 5.16.0 < 6.1.160 | 6.1.160 |
| linux | linux_kernel | >= 6.13.0 < 6.18.4 | 6.18.4 |
| linux | linux_kernel | >= 6.2.0 < 6.6.120 | 6.6.120 |
| linux | linux_kernel | >= 6.7.0 < 6.12.64 | 6.12.64 |
| msrc | cbl2_python-lxml_4.8.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_python-lxml_4.6.3-1_on_cbl_mariner_1.0 | — | — |
| unitedplanet | intrexx | — | — |
| unitedplanet | intrexx | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.1HIGH
vendor_redhat7.8HIGH
vendor_msrc6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
e1000: fix OOB in e1000_tbi_should_accept()
osv·2026-01-13·CVSS 7.1
CVE-2025-71093 e1000: fix OOB in e1000_tbi_should_accept()
e1000: fix OOB in e1000_tbi_should_accept()
In the Linux kernel, the following vulnerability has been resolved:
e1000: fix OOB in e1000_tbi_should_accept()
In e1000_tbi_should_accept() we read the last byte of the frame via
'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
reported length is zero or larger than the actual RX buffer size, this
read goes out of bounds and can hit unrelated slab objects. The issue
is observed from the NAPI receive path (e1000_clean_rx_irq):
BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
Read of size 1 at addr ffff888014114e54 by task sshd/363
CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Ca
GHSA
GHSA-4rc2-384v-9w8v: Unrestricted file upload vulnerability in an unspecified third party tool in United Planet Intrexx Professional before 5
ghsa_unreviewed·2022-05-17
CVE-2014-2025 [HIGH] GHSA-4rc2-384v-9w8v: Unrestricted file upload vulnerability in an unspecified third party tool in United Planet Intrexx Professional before 5
Unrestricted file upload vulnerability in an unspecified third party tool in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unknown vectors.
Red Hat
kernel: iommu/vt-d: debugfs: Fix legacy mode page table dump logic
vendor_redhat·2025-11-12·CVSS 5.5
CVE-2025-40155 [MEDIUM] CWE-704 kernel: iommu/vt-d: debugfs: Fix legacy mode page table dump logic
kernel: iommu/vt-d: debugfs: Fix legacy mode page table dump logic
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: debugfs: Fix legacy mode page table dump logic
In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR
maybe uninitialized or zero in that case and may cause oops like:
Oops: general protection fault, probably for non-canonical address
0xf00087d3f000f000: 0000 [#1] SMP NOPTI
CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014
RIP: 0010:pgtable_walk_level+0x98/0x150
RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206
RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e
RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d
Red Hat
kernel: f2fs: prevent kernel warning due to negative i_nlink from corrupted image
vendor_redhat·2025-07-04·CVSS 5.5
CVE-2025-38219 [MEDIUM] kernel: f2fs: prevent kernel warning due to negative i_nlink from corrupted image
kernel: f2fs: prevent kernel warning due to negative i_nlink from corrupted image
In the Linux kernel, the following vulnerability has been resolved:
f2fs: prevent kernel warning due to negative i_nlink from corrupted image
WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0
home/cc/linux/fs/inode.c:417
Modules linked in:
CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted
6.14.0-12627-g94d471a4f428 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417
Code: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff
f0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90
0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6
ff
RSP: 0018:ffffc9
Red Hat
kernel: binder: fix use-after-free in binderfs_evict_inode()
vendor_redhat·2025-07-04·CVSS 7.8
CVE-2025-38176 [HIGH] kernel: binder: fix use-after-free in binderfs_evict_inode()
kernel: binder: fix use-after-free in binderfs_evict_inode()
In the Linux kernel, the following vulnerability has been resolved:
binder: fix use-after-free in binderfs_evict_inode()
Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled
kernel, I've noticed the following:
BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0
Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699
CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
Call Trace:
dump_stack_lvl+0x1c2/0x2a0
? __pfx_dump_stack_lvl+0x10/0x10
? __pfx__printk+0x10/0x10
? __pfx_lock_release+0x10/0x10
? __virt_addr_valid+0x18c/0x540
? __virt_addr_valid+0x469/0x540
pri
Red Hat
kernel: uprobes: Reject the shared zeropage in uprobe_write_opcode()
vendor_redhat·2025-03-27·CVSS 5.5
CVE-2025-21881 [MEDIUM] kernel: uprobes: Reject the shared zeropage in uprobe_write_opcode()
kernel: uprobes: Reject the shared zeropage in uprobe_write_opcode()
In the Linux kernel, the following vulnerability has been resolved:
uprobes: Reject the shared zeropage in uprobe_write_opcode()
We triggered the following crash in syzkaller tests:
BUG: Bad page state in process syz.7.38 pfn:1eff3
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3
flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff)
raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
dump_stack_lvl+0x32/0x50
bad_page+0x69
Microsoft
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as d
vendor_msrc·2018-12-11·CVSS 6.1
CVE-2018-19787 [MEDIUM] CWE-79 An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as d
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See th
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-39983 kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
bugzilla·2025-10-15
CVE-2025-39983 [MEDIUM] CVE-2025-39983 kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
CVE-2025-39983 kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
This fixes the following UAF caused by not properly locking hdev when
processing HCI_EV_NUM_COMP_PKTS:
BUG: KASAN: slab-use-after-free in hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036
Read of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54
CPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci1 hci_rx_work
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/
Bugzilla
CVE-2025-39974 kernel: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()
bugzilla·2025-10-15
CVE-2025-39974 [LOW] CVE-2025-39974 kernel: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()
CVE-2025-39974 kernel: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()
In the Linux kernel, the following vulnerability has been resolved:
tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()
When config osnoise cpus by write() syscall, the following KASAN splat may
be observed:
BUG: KASAN: slab-out-of-bounds in _parse_integer_limit+0x103/0x130
Read of size 1 at addr ffff88810121e3a1 by task test/447
CPU: 1 UID: 0 PID: 447 Comm: test Not tainted 6.17.0-rc6-dirty #288 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x55/0x70
print_report+0xcb/0x610
kasan_report+0xb8/0xf0
_parse_integer_limit+0x103/0x130
bitmap_parselist+0x16d/0x6f0
osnoise_cpus_write+0x116/0x2d0
vfs_write+0x21e/
Bugzilla
CVE-2025-39857 kernel: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
bugzilla·2025-09-19·CVSS 5.5
CVE-2025-39857 [MEDIUM] CVE-2025-39857 kernel: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
CVE-2025-39857 kernel: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
BUG: kernel NULL pointer dereference, address: 00000000000002ec
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Workqueue: smc_hs_wq smc_listen_work [smc]
RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]
...
Call Trace:
smcr_buf_map_link+0x211/0x2a0 [smc]
__smc_buf_create+0x522/0x970 [smc]
smc_buf_create+0x3a/0x110 [smc]
smc_find_rdma_v2_device_serv+0x18f/
Bugzilla
CVE-2025-38255 kernel: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
bugzilla·2025-07-09·CVSS 5.5
CVE-2025-38255 [MEDIUM] CVE-2025-38255 kernel: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
CVE-2025-38255 kernel: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
In the Linux kernel, the following vulnerability has been resolved:
lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
While testing null_blk with configfs, echo 0 > poll_queues will trigger
following panic:
BUG: kernel NULL pointer dereference, address: 0000000000000010
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
RIP: 0010:__bitmap_or+0x48/0x70
Call Trace:
__group_cpus_evenly+0x822/0x8c0
group_cpus_evenly+0x2d9/0x490
blk_mq_map_queues+0x1e/0x110
null_map_queues+0xc9/0x170 [null_blk]
blk_mq_update_queue_
Bugzilla
CVE-2025-38226 kernel: media: vivid: Change the siize of the composing
bugzilla·2025-07-04·CVSS 7.8
CVE-2025-38226 [HIGH] CVE-2025-38226 kernel: media: vivid: Change the siize of the composing
CVE-2025-38226 kernel: media: vivid: Change the siize of the composing
In the Linux kernel, the following vulnerability has been resolved:
media: vivid: Change the siize of the composing
syzkaller found a bug:
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304
CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_
Bugzilla
CVE-2025-21725 kernel: smb: client: fix oops due to unset link speed
bugzilla·2025-02-27·CVSS 5.5
CVE-2025-21725 [MEDIUM] CVE-2025-21725 kernel: smb: client: fix oops due to unset link speed
CVE-2025-21725 kernel: smb: client: fix oops due to unset link speed
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix oops due to unset link speed
It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always
be set by the server, so the client must handle any values and then
prevent oopses like below from happening:
Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
04/01/2014
RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48
89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8
e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 f7 74 24 18 48 89
c3 e8 6e cf 1b c1 41 8b 6c 24
Wiz
CVE-2025-71088 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-71088 [MEDIUM] CVE-2025-71088 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-71088 :
Linux Kernel vulnerability analysis and mitigation
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fallback earlier on simult connection
Syzkaller reports a simult-connect race leading to inconsistent fallback
status:
WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Modules linked in:
CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 0b 90 e8 6d 66 3c f6 48 89
http://www.christian-schneider.net/advisories/CVE-2014-2025.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/99568https://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=2EBBF802B1970FE31EFC8A34108DF3F47E7A8EEC&rq_RecId=31&rq_SourceAppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_SourcePageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018&rq_SourceRecId=31http://www.christian-schneider.net/advisories/CVE-2014-2025.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/99568https://help.unitedplanet.com/?rq_AppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_TargetPageGuid=2EBBF802B1970FE31EFC8A34108DF3F47E7A8EEC&rq_RecId=31&rq_SourceAppGuid=C203A277EDDF9AD2492B776B996B20D4A7C58395&rq_SourcePageGuid=7A91F4B76FFC41A18F4EA4ACE26F31E033C5B018&rq_SourceRecId=31
2020-01-31
Published