CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24344
https://notcve.org/view.php?id=CVE-2025-24344
30 Apr 2025 — A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user's browser via a crafted HTTP request. • https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html • CWE-81: Improper Neutralization of Script in an Error Message Web Page •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24343
https://notcve.org/view.php?id=CVE-2025-24343
30 Apr 2025 — A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request. • https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html • CWE-23: Relative Path Traversal •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24338
https://notcve.org/view.php?id=CVE-2025-24338
30 Apr 2025 — A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to execute arbitrary client-side code in the context of another user's browser via multiple crafted HTTP requests. • https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html • CWE-116: Improper Encoding or Escaping of Output •