CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-25200

CVSS 9.8v3.1pub. 2026-02-02upd. 2026-03-10

A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) consists of the lack of proper verification of uploaded file types. A logged-in user can upload an HTML file containing a malicious JavaScript script to the server, which is permanently saved on the server (Stored XSS). When another user — including an administrator — opens or is directed to the malicious content, the script executes in their browser in the context of the application.

Impact

An attacker can hijack the session or account of another system user, including an account with administrative privileges. This can lead to full compromise of the Samsung MagicINFO 9 Server instance.

Mitigation & patch

Samsung MagicINFO 9 Server should be updated to version 21.1090.1 or later. Detailed information is available in the manufacturer's security bulletin at: https://security.samsungtv.com/securityUpdates

Who is affected

Samsung MagicINFO 9 Server in versions earlier than 21.1090.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Samsung Magicinfo 9 Server

    APP
    Samsung
    < 21.1090.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2025-4632CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server — zapis plików jako SYSTEM

CVE-2026-25202CRITICAL9.8PL ✓ten sam produkt

Zakodowane na stałe dane logowania do bazy danych w Samsung MagicINFO 9 Server

CVE-2025-54438CRITICAL9.8PL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server umożliwia wgranie web shell

CVE-2025-54440CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection

CVE-2025-54442CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection