Search

Find a vulnerability

Search criteria

    34 vulnerabilities found for mozart_dds_next_2000_firmware by dbbroadcast

    CVE-2025-66263 (GCVE-0-2025-66263)

    Vulnerability from nvd – Published: 2025-11-26 00:52 – Updated: 2025-11-26 16:10
    VLAI
    Title
    Unauthenticated Arbitrary File Read via Null Byte Injection
    Summary
    Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-158 - Unauthenticated Arbitrary File Read via Null Byte Injection
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66263",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T16:10:10.243107Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T16:10:21.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files.\u003cbr\u003eThe `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET[\u0027filename\u0027]` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files.\nThe `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET[\u0027filename\u0027]` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.9,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-158",
                  "description": "CWE-158 Unauthenticated Arbitrary File Read via Null Byte Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:52:24.390Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Read via Null Byte Injection",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66263",
        "datePublished": "2025-11-26T00:52:24.390Z",
        "dateReserved": "2025-11-26T00:21:58.504Z",
        "dateUpdated": "2025-11-26T16:10:21.364Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66262 (GCVE-0-2025-66262)

    Vulnerability from nvd – Published: 2025-11-26 00:50 – Updated: 2025-11-26 14:57
    VLAI
    Title
    Arbitrary File Overwrite via Tar Extraction Path Traversal
    Summary
    Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Arbitrary File Overwrite via Tar Extraction Path Traversal
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T14:54:20.227447Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T14:57:11.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eArbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive.\u003cbr\u003eThe `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive.\nThe `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/AU:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Arbitrary File Overwrite via Tar Extraction Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:50:55.913Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary File Overwrite via Tar Extraction Path Traversal",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66262",
        "datePublished": "2025-11-26T00:50:55.913Z",
        "dateReserved": "2025-11-26T00:21:58.504Z",
        "dateUpdated": "2025-11-26T14:57:11.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66261 (GCVE-0-2025-66261)

    Vulnerability from nvd – Published: 2025-11-26 00:49 – Updated: 2025-11-26 15:00
    VLAI
    Title
    Unauthenticated OS Command Injection (restore_settings.php)
    Summary
    Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Unauthenticated OS Command Injection (restore_settings.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66261",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T14:59:47.969665Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:00:02.948Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution.\u003cbr\u003eThe `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET[\"name\"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `\u0026amp;\u0026amp;`, etc.) to achieve unauthenticated remote code execution as the web server user.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution.\nThe `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET[\"name\"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `\u0026\u0026`, etc.) to achieve unauthenticated remote code execution as the web server user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Unauthenticated OS Command Injection (restore_settings.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:49:38.259Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated OS Command Injection (restore_settings.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66261",
        "datePublished": "2025-11-26T00:49:38.259Z",
        "dateReserved": "2025-11-26T00:21:58.504Z",
        "dateUpdated": "2025-11-26T15:00:02.948Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66260 (GCVE-0-2025-66260)

    Vulnerability from nvd – Published: 2025-11-26 00:48 – Updated: 2025-11-26 15:06
    VLAI
    Title
    PostgreSQL SQL Injection (status_sql.php)
    Summary
    PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php. The `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL's `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - PostgreSQL SQL Injection (status_sql.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66260",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T15:05:57.716234Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:06:21.454Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003ePostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php.\u003cbr\u003eThe `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL\u0027s `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php.\nThe `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL\u0027s `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 PostgreSQL SQL Injection (status_sql.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:48:34.554Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "PostgreSQL SQL Injection (status_sql.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66260",
        "datePublished": "2025-11-26T00:48:34.554Z",
        "dateReserved": "2025-11-26T00:21:58.504Z",
        "dateUpdated": "2025-11-26T15:06:21.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66259 (GCVE-0-2025-66259)

    Vulnerability from nvd – Published: 2025-11-26 00:46 – Updated: 2025-11-26 15:46
    VLAI
    Title
    Authenticated Root Remote Code Execution through improper filtering of HTTP post request parameters
    Summary
    Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T15:46:50.719048Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:46:56.051Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command\u003c/p\u003e"
                }
              ],
              "value": "Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T01:02:19.064Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authenticated Root Remote Code Execution through improper filtering of HTTP post request parameters",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66259",
        "datePublished": "2025-11-26T00:46:51.931Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-11-26T15:46:56.051Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66258 (GCVE-0-2025-66258)

    Vulnerability from nvd – Published: 2025-11-26 00:45 – Updated: 2025-11-26 15:47
    VLAI
    Title
    Stored Cross-Site Scripting via XML Injection
    Summary
    Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Stored Cross-Site Scripting via XML Injection
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66258",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T15:47:42.629161Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:47:46.259Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eStored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml.\u003cbr\u003eUser-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `\u0026lt;img src=x onerror=alert()\u0026gt;.bin`). The XSS executes when ajax.js processes and renders the XML file.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml.\nUser-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `\u003cimg src=x onerror=alert()\u003e.bin`). The XSS executes when ajax.js processes and renders the XML file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Stored Cross-Site Scripting via XML Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:45:39.995Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Stored Cross-Site Scripting via XML Injection",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66258",
        "datePublished": "2025-11-26T00:45:39.995Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-11-26T15:47:46.259Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66257 (GCVE-0-2025-66257)

    Vulnerability from nvd – Published: 2025-11-26 00:43 – Updated: 2025-11-26 15:49
    VLAI
    Title
    Unauthenticated Arbitrary File Deletion (patch_contents.php)
    Summary
    Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - Unauthenticated Arbitrary File Deletion (patch_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66257",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T15:49:21.172117Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:49:25.857Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files.\u003cbr\u003eThe `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files.\nThe `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 Unauthenticated Arbitrary File Deletion (patch_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:43:54.408Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Deletion (patch_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66257",
        "datePublished": "2025-11-26T00:43:54.408Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-11-26T15:49:25.857Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66256 (GCVE-0-2025-66256)

    Vulnerability from nvd – Published: 2025-11-26 00:41 – Updated: 2025-12-03 16:13
    VLAI
    Title
    Unauthenticated Arbitrary File Upload (patch_contents.php)
    Summary
    Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unauthenticated Arbitrary File Upload (patch_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66256",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T16:13:46.751741Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T16:13:49.513Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files.\u003c/p\u003eThe `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files.\n\nThe `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unauthenticated Arbitrary File Upload (patch_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:41:08.666Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Upload (patch_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66256",
        "datePublished": "2025-11-26T00:41:08.666Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-12-03T16:13:49.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66255 (GCVE-0-2025-66255)

    Vulnerability from nvd – Published: 2025-11-26 00:39 – Updated: 2025-12-03 16:00
    VLAI
    Title
    Unauthenticated Arbitrary File Upload (upgrade_contents.php)
    Summary
    Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages.  The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Unauthenticated Arbitrary File Upload (upgrade_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66255",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T15:59:55.831677Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T16:00:07.473Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages.\u0026nbsp;\u003cbr\u003eThe firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages.\u00a0\nThe firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345 Unauthenticated Arbitrary File Upload (upgrade_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:39:56.984Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Upload (upgrade_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66255",
        "datePublished": "2025-11-26T00:39:56.984Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-12-03T16:00:07.473Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66254 (GCVE-0-2025-66254)

    Vulnerability from nvd – Published: 2025-11-26 00:37 – Updated: 2025-12-03 15:55
    VLAI
    Title
    Unauthenticated Arbitrary File Deletion (upgrade_contents.php)
    Summary
    Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files.  The `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - Unauthenticated Arbitrary File Deletion (upgrade_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66254",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T15:55:44.883364Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T15:55:50.204Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files.\u0026nbsp;\u003c/p\u003eThe `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files.\u00a0\n\nThe `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 Unauthenticated Arbitrary File Deletion (upgrade_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:37:48.788Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Deletion (upgrade_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66254",
        "datePublished": "2025-11-26T00:37:48.788Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-12-03T15:55:50.204Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66253 (GCVE-0-2025-66253)

    Vulnerability from nvd – Published: 2025-11-26 00:36 – Updated: 2025-12-03 15:55
    VLAI
    Title
    Unauthenticated OS Command Injection (start_upgrade.php)
    Summary
    Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Unauthenticated OS Command Injection (start_upgrade.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66253",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T15:54:55.751527Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T15:55:18.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php.\u0026nbsp;The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET[\"filename\"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php.\u00a0The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET[\"filename\"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Unauthenticated OS Command Injection (start_upgrade.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:36:29.474Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated OS Command Injection (start_upgrade.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66253",
        "datePublished": "2025-11-26T00:36:29.474Z",
        "dateReserved": "2025-11-26T00:21:33.790Z",
        "dateUpdated": "2025-12-03T15:55:18.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66252 (GCVE-0-2025-66252)

    Vulnerability from nvd – Published: 2025-11-26 00:34 – Updated: 2025-12-01 21:11
    VLAI
    Title
    Infinite Loop Denial of Service via Failed File Deletion
    Summary
    Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Infinite Loop Denial of Service via Failed File Deletion
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66252",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-01T21:11:24.334944Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-01T21:11:46.724Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eInfinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop.\u003c/p\u003e"
                }
              ],
              "value": "Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-835",
                  "description": "CWE-835 Infinite Loop Denial of Service via Failed File Deletion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:34:11.994Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Infinite Loop Denial of Service via Failed File Deletion",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66252",
        "datePublished": "2025-11-26T00:34:11.994Z",
        "dateReserved": "2025-11-26T00:21:33.790Z",
        "dateUpdated": "2025-12-01T21:11:46.724Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66251 (GCVE-0-2025-66251)

    Vulnerability from nvd – Published: 2025-11-26 00:32 – Updated: 2025-11-26 15:03
    VLAI
    Title
    Unauthenticated Path Traversal with Arbitrary File Deletion
    Summary
    Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Unauthenticated Path Traversal with Arbitrary File Deletion
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66251",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T14:58:14.439926Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:03:03.656Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files.\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Unauthenticated Path Traversal with Arbitrary File Deletion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:32:26.142Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Path Traversal with Arbitrary File Deletion",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66251",
        "datePublished": "2025-11-26T00:32:26.142Z",
        "dateReserved": "2025-11-26T00:21:33.790Z",
        "dateUpdated": "2025-11-26T15:03:03.656Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66250 (GCVE-0-2025-66250)

    Vulnerability from nvd – Published: 2025-11-26 00:29 – Updated: 2025-11-26 14:56
    VLAI
    Title
    Unauthenticated Arbitrary File Upload (status_contents.php)
    Summary
    Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unauthenticated Arbitrary File Upload (status_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66250",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T14:56:03.893328Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T14:56:59.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php.\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unauthenticated Arbitrary File Upload (status_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:29:57.431Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Upload (status_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66250",
        "datePublished": "2025-11-26T00:29:57.431Z",
        "dateReserved": "2025-11-26T00:21:33.790Z",
        "dateUpdated": "2025-11-26T14:56:59.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-63229 (GCVE-0-2025-63229)

    Vulnerability from nvd – Published: 2025-11-18 00:00 – Updated: 2025-11-19 14:09
    VLAI
    Summary
    The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an attacker can execute arbitrary code in the victim's browser, potentially stealing sensitive information, hijacking sessions, or performing unauthorized actions.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-63229",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-19T14:09:00.456655Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-19T14:09:03.395Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an attacker can execute arbitrary code in the victim\u0027s browser, potentially stealing sensitive information, hijacking sessions, or performing unauthorized actions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-18T20:18:59.527Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.dbbroadcast.com/"
            },
            {
              "url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63229_Mozart_FM_Transmitter_xss"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-63229",
        "datePublished": "2025-11-18T00:00:00.000Z",
        "dateReserved": "2025-10-27T00:00:00.000Z",
        "dateUpdated": "2025-11-19T14:09:03.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-63228 (GCVE-0-2025-63228)

    Vulnerability from nvd – Published: 2025-11-18 00:00 – Updated: 2025-11-19 15:45
    VLAI
    Summary
    The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this by sending a crafted POST request with a malicious file (e.g., a PHP webshell) to the server. The uploaded file is stored in the /upload/ directory, enabling remote code execution and full system compromise.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-63228",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-19T15:45:06.437273Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-434",
                    "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-19T15:45:32.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this by sending a crafted POST request with a malicious file (e.g., a PHP webshell) to the server. The uploaded file is stored in the /upload/ directory, enabling remote code execution and full system compromise."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-18T20:02:20.597Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.dbbroadcast.com/"
            },
            {
              "url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63228_Mozart_FM_Transmitter_Unauthenticated_File_Upload"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-63228",
        "datePublished": "2025-11-18T00:00:00.000Z",
        "dateReserved": "2025-10-27T00:00:00.000Z",
        "dateUpdated": "2025-11-19T15:45:32.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66263 (GCVE-0-2025-66263)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:52 – Updated: 2025-11-26 16:10
    VLAI
    Title
    Unauthenticated Arbitrary File Read via Null Byte Injection
    Summary
    Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-158 - Unauthenticated Arbitrary File Read via Null Byte Injection
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66263",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T16:10:10.243107Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T16:10:21.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files.\u003cbr\u003eThe `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET[\u0027filename\u0027]` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files.\nThe `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET[\u0027filename\u0027]` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.9,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-158",
                  "description": "CWE-158 Unauthenticated Arbitrary File Read via Null Byte Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:52:24.390Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Read via Null Byte Injection",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66263",
        "datePublished": "2025-11-26T00:52:24.390Z",
        "dateReserved": "2025-11-26T00:21:58.504Z",
        "dateUpdated": "2025-11-26T16:10:21.364Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66262 (GCVE-0-2025-66262)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:50 – Updated: 2025-11-26 14:57
    VLAI
    Title
    Arbitrary File Overwrite via Tar Extraction Path Traversal
    Summary
    Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Arbitrary File Overwrite via Tar Extraction Path Traversal
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T14:54:20.227447Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T14:57:11.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eArbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive.\u003cbr\u003eThe `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive.\nThe `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/AU:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Arbitrary File Overwrite via Tar Extraction Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:50:55.913Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary File Overwrite via Tar Extraction Path Traversal",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66262",
        "datePublished": "2025-11-26T00:50:55.913Z",
        "dateReserved": "2025-11-26T00:21:58.504Z",
        "dateUpdated": "2025-11-26T14:57:11.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66261 (GCVE-0-2025-66261)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:49 – Updated: 2025-11-26 15:00
    VLAI
    Title
    Unauthenticated OS Command Injection (restore_settings.php)
    Summary
    Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Unauthenticated OS Command Injection (restore_settings.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66261",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T14:59:47.969665Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:00:02.948Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution.\u003cbr\u003eThe `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET[\"name\"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `\u0026amp;\u0026amp;`, etc.) to achieve unauthenticated remote code execution as the web server user.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution.\nThe `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET[\"name\"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `\u0026\u0026`, etc.) to achieve unauthenticated remote code execution as the web server user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Unauthenticated OS Command Injection (restore_settings.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:49:38.259Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated OS Command Injection (restore_settings.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66261",
        "datePublished": "2025-11-26T00:49:38.259Z",
        "dateReserved": "2025-11-26T00:21:58.504Z",
        "dateUpdated": "2025-11-26T15:00:02.948Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66260 (GCVE-0-2025-66260)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:48 – Updated: 2025-11-26 15:06
    VLAI
    Title
    PostgreSQL SQL Injection (status_sql.php)
    Summary
    PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php. The `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL's `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - PostgreSQL SQL Injection (status_sql.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66260",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T15:05:57.716234Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:06:21.454Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003ePostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php.\u003cbr\u003eThe `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL\u0027s `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php.\nThe `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL\u0027s `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 PostgreSQL SQL Injection (status_sql.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:48:34.554Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "PostgreSQL SQL Injection (status_sql.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66260",
        "datePublished": "2025-11-26T00:48:34.554Z",
        "dateReserved": "2025-11-26T00:21:58.504Z",
        "dateUpdated": "2025-11-26T15:06:21.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66259 (GCVE-0-2025-66259)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:46 – Updated: 2025-11-26 15:46
    VLAI
    Title
    Authenticated Root Remote Code Execution through improper filtering of HTTP post request parameters
    Summary
    Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T15:46:50.719048Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:46:56.051Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command\u003c/p\u003e"
                }
              ],
              "value": "Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T01:02:19.064Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authenticated Root Remote Code Execution through improper filtering of HTTP post request parameters",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66259",
        "datePublished": "2025-11-26T00:46:51.931Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-11-26T15:46:56.051Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66258 (GCVE-0-2025-66258)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:45 – Updated: 2025-11-26 15:47
    VLAI
    Title
    Stored Cross-Site Scripting via XML Injection
    Summary
    Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Stored Cross-Site Scripting via XML Injection
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66258",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T15:47:42.629161Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:47:46.259Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eStored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml.\u003cbr\u003eUser-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `\u0026lt;img src=x onerror=alert()\u0026gt;.bin`). The XSS executes when ajax.js processes and renders the XML file.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml.\nUser-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `\u003cimg src=x onerror=alert()\u003e.bin`). The XSS executes when ajax.js processes and renders the XML file."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Stored Cross-Site Scripting via XML Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:45:39.995Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Stored Cross-Site Scripting via XML Injection",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66258",
        "datePublished": "2025-11-26T00:45:39.995Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-11-26T15:47:46.259Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66257 (GCVE-0-2025-66257)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:43 – Updated: 2025-11-26 15:49
    VLAI
    Title
    Unauthenticated Arbitrary File Deletion (patch_contents.php)
    Summary
    Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - Unauthenticated Arbitrary File Deletion (patch_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66257",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T15:49:21.172117Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:49:25.857Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files.\u003cbr\u003eThe `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files.\nThe `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 Unauthenticated Arbitrary File Deletion (patch_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:43:54.408Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Deletion (patch_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66257",
        "datePublished": "2025-11-26T00:43:54.408Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-11-26T15:49:25.857Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66256 (GCVE-0-2025-66256)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:41 – Updated: 2025-12-03 16:13
    VLAI
    Title
    Unauthenticated Arbitrary File Upload (patch_contents.php)
    Summary
    Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unauthenticated Arbitrary File Upload (patch_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66256",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T16:13:46.751741Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T16:13:49.513Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files.\u003c/p\u003eThe `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files.\n\nThe `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unauthenticated Arbitrary File Upload (patch_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:41:08.666Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Upload (patch_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66256",
        "datePublished": "2025-11-26T00:41:08.666Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-12-03T16:13:49.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66255 (GCVE-0-2025-66255)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:39 – Updated: 2025-12-03 16:00
    VLAI
    Title
    Unauthenticated Arbitrary File Upload (upgrade_contents.php)
    Summary
    Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages.  The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Unauthenticated Arbitrary File Upload (upgrade_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66255",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T15:59:55.831677Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T16:00:07.473Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages.\u0026nbsp;\u003cbr\u003eThe firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages.\u00a0\nThe firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345 Unauthenticated Arbitrary File Upload (upgrade_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:39:56.984Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Upload (upgrade_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66255",
        "datePublished": "2025-11-26T00:39:56.984Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-12-03T16:00:07.473Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66254 (GCVE-0-2025-66254)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:37 – Updated: 2025-12-03 15:55
    VLAI
    Title
    Unauthenticated Arbitrary File Deletion (upgrade_contents.php)
    Summary
    Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files.  The `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - Unauthenticated Arbitrary File Deletion (upgrade_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66254",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T15:55:44.883364Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T15:55:50.204Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files.\u0026nbsp;\u003c/p\u003eThe `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files.\u00a0\n\nThe `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 Unauthenticated Arbitrary File Deletion (upgrade_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:37:48.788Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Deletion (upgrade_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66254",
        "datePublished": "2025-11-26T00:37:48.788Z",
        "dateReserved": "2025-11-26T00:21:33.791Z",
        "dateUpdated": "2025-12-03T15:55:50.204Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66253 (GCVE-0-2025-66253)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:36 – Updated: 2025-12-03 15:55
    VLAI
    Title
    Unauthenticated OS Command Injection (start_upgrade.php)
    Summary
    Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Unauthenticated OS Command Injection (start_upgrade.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66253",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T15:54:55.751527Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T15:55:18.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php.\u0026nbsp;The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET[\"filename\"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php.\u00a0The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET[\"filename\"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Unauthenticated OS Command Injection (start_upgrade.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:36:29.474Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated OS Command Injection (start_upgrade.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66253",
        "datePublished": "2025-11-26T00:36:29.474Z",
        "dateReserved": "2025-11-26T00:21:33.790Z",
        "dateUpdated": "2025-12-03T15:55:18.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66252 (GCVE-0-2025-66252)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:34 – Updated: 2025-12-01 21:11
    VLAI
    Title
    Infinite Loop Denial of Service via Failed File Deletion
    Summary
    Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Infinite Loop Denial of Service via Failed File Deletion
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66252",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-01T21:11:24.334944Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-01T21:11:46.724Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eInfinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop.\u003c/p\u003e"
                }
              ],
              "value": "Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-835",
                  "description": "CWE-835 Infinite Loop Denial of Service via Failed File Deletion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:34:11.994Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Infinite Loop Denial of Service via Failed File Deletion",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66252",
        "datePublished": "2025-11-26T00:34:11.994Z",
        "dateReserved": "2025-11-26T00:21:33.790Z",
        "dateUpdated": "2025-12-01T21:11:46.724Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66251 (GCVE-0-2025-66251)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:32 – Updated: 2025-11-26 15:03
    VLAI
    Title
    Unauthenticated Path Traversal with Arbitrary File Deletion
    Summary
    Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Unauthenticated Path Traversal with Arbitrary File Deletion
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66251",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T14:58:14.439926Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T15:03:03.656Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files.\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Unauthenticated Path Traversal with Arbitrary File Deletion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:32:26.142Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Path Traversal with Arbitrary File Deletion",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66251",
        "datePublished": "2025-11-26T00:32:26.142Z",
        "dateReserved": "2025-11-26T00:21:33.790Z",
        "dateUpdated": "2025-11-26T15:03:03.656Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66250 (GCVE-0-2025-66250)

    Vulnerability from cvelistv5 – Published: 2025-11-26 00:29 – Updated: 2025-11-26 14:56
    VLAI
    Title
    Unauthenticated Arbitrary File Upload (status_contents.php)
    Summary
    Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unauthenticated Arbitrary File Upload (status_contents.php)
    Assigner
    References
    URL Tags
    https://www.abdulmhsblog.com/posts/webfmvulns/ exploittechnical-description
    Impacted products
    Vendor Product Version
    DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter Affected: 30
    Affected: 50
    Affected: 100
    Affected: 300
    Affected: 500
    Affected: 1000
    Affected: 2000
    Affected: 3000
    Affected: 3500
    Affected: 6000
    Affected: 7000
    Create a notification for this product.
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66250",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-26T14:56:03.893328Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-26T14:56:59.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mozart FM Transmitter",
              "vendor": "DB Electronica Telecomunicazioni S.p.A.",
              "versions": [
                {
                  "status": "affected",
                  "version": "30"
                },
                {
                  "status": "affected",
                  "version": "50"
                },
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "300"
                },
                {
                  "status": "affected",
                  "version": "500"
                },
                {
                  "status": "affected",
                  "version": "1000"
                },
                {
                  "status": "affected",
                  "version": "2000"
                },
                {
                  "status": "affected",
                  "version": "3000"
                },
                {
                  "status": "affected",
                  "version": "3500"
                },
                {
                  "status": "affected",
                  "version": "6000"
                },
                {
                  "status": "affected",
                  "version": "7000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUnauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php.\u003c/p\u003e"
                }
              ],
              "value": "Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unauthenticated Arbitrary File Upload (status_contents.php)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-26T00:29:57.431Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "technical-description"
              ],
              "url": "https://www.abdulmhsblog.com/posts/webfmvulns/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated Arbitrary File Upload (status_contents.php)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-66250",
        "datePublished": "2025-11-26T00:29:57.431Z",
        "dateReserved": "2025-11-26T00:21:33.790Z",
        "dateUpdated": "2025-11-26T14:56:59.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }