CVE-2026-25200
Unknown
Unknown - Not Provided
Stored XSS in MagicINFO 9 Server Enables Account Takeover
Publication date: 2026-02-02
Last updated on: 2026-03-10
Assigner: Samsung TV & Appliance
Description
Description
A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover
This issue affects MagicINFO 9 Server: less than 21.1090.1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| samsung | magicinfo_9_server | to 21.1090.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without proper authentication, which leads to Stored Cross-Site Scripting (XSS). This means malicious scripts can be stored on the server and executed in users' browsers, potentially compromising accounts.
How can this vulnerability impact me? :
The vulnerability can lead to account takeover by attackers exploiting the Stored XSS flaw. This can result in unauthorized access to user accounts, data theft, and potentially full control over affected systems.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70