CVE-2025-1265
published 2025-02-20CVE-2025-1265: An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution on…
PriorityP269critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
1.32%
67.4th percentile
An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution on affected system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elseta | vinci_protocol_analyzer | < 3.2.3.19 | 3.2.3.19 |
| spotipy_project | spotipy | >= 0 < 2.25.2 | 2.25.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is OS Command Injection (CWE-78) in Elseta Vinci Protocol Analyzer; monitor for unexpected OS command execution or privilege escalation originating from the Vinci Protocol Analyzer process ↗
- →Exploitation is remotely possible with low privileges and no user interaction (CVSS AV:N/AC:L/PR:L/UI:N/S:C); alert on authenticated remote sessions to Vinci Protocol Analyzer that spawn child OS processes ↗
- ·All versions of Vinci Protocol Analyzer prior to 3.2.3.19 are affected; detection efforts should prioritize unpatched deployments ↗
- ·No known public exploitation or specific exploit code has been reported as of the advisory publication date, limiting signature-based detection options ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Elseta Vinci Protocol Analyzer
cisa_ics·2025-02-20·CVSS 9.4
[CRITICAL] Elseta Vinci Protocol Analyzer
ICS Advisory
##
Elseta Vinci Protocol Analyzer
Release DateFebruary 20, 2025
Alert CodeICSA-25-051-06
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Elseta
- Equipment: Vinci Protocol Analyzer
- Vulnerability: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to escalate privileges and perform code execution on the affected system.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following Elseta products are affected:
Vinci Protocol Analyzer: Versions prior to 3.2
GHSA
Spotipy has a XSS vulnerability in its OAuth callback server
ghsa·2025-12-01
CVE-2025-66040 [LOW] CWE-79 Spotipy has a XSS vulnerability in its OAuth callback server
Spotipy has a XSS vulnerability in its OAuth callback server
### Summary
XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication.
### Details
**Vulnerable Code:** `spotipy/oauth2.py` lines 1238-1274 (RequestHandler.do_GET)
**The Problem:**
During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the `error` URL parameter directly into HTML without sanitization.
**Vulnerable code at line 1255:**
```python
status = f"failed ({self.server.error})"
```
**Then embedded in HTML at line 1265:**
```python
self._write(f"""
Authentication status: {status}
""")
```
The `error` parameter comes from URL parsing (
GHSA
GHSA-wjh9-gfgw-24mv: An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution
ghsa_unreviewed·2025-02-20
CVE-2025-1265 [CRITICAL] CWE-78 GHSA-wjh9-gfgw-24mv: An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution
An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution on affected system.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-20
Published