CVE-2025-41351

Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate ‘self-signed’ access URLs.

CVSS

No CVSS.

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/weak-encryption-funambols-cloud-server

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad que permite realizar un ataque de Padding Oracle en el servidor en la nube Funambol v30.0.0.20. La URL de visualización de miniaturas permite a un atacante descifrar y cifrar los parámetros utilizados por la aplicación para generar URLs de acceso 'autofirmadas'.

28 Jan 2026, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-28 11:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-41351

Mitre link : CVE-2025-41351

CVE.ORG link : CVE-2025-41351

JSON object : View

Products Affected

No product.

CWE

CWE-649

Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking

{"id": "CVE-2025-41351", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-28T11:15:48.510", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/weak-encryption-funambols-cloud-server", "source": "cve-coordination@incibe.es"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-649"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate \u2018self-signed\u2019 access URLs."}, {"lang": "es", "value": "Vulnerabilidad que permite realizar un ataque de Padding Oracle en el servidor en la nube Funambol v30.0.0.20. La URL de visualizaci\u00f3n de miniaturas permite a un atacante descifrar y cifrar los par\u00e1metros utilizados por la aplicaci\u00f3n para generar URLs de acceso 'autofirmadas'."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cve-coordination@incibe.es"}