A potential security
vulnerability has been identified in the Poly Clariti Manager for versions
prior to 10.12.2. The vulnerability could potentially allow a privileged
user to retrieve credentials from the log files. HP has addressed the issue in
the latest software update.

CVE-2025-43485 is a medium-severity vulnerability identified in HP Inc.'s Poly Clariti Manager software, affecting versions prior to 10.12.2. The vulnerability is categorized under CWE-532, which involves the insertion of sensitive information into log files. Specifically, this flaw allows a privileged user to access sensitive credentials that are improperly logged by the application. Since the vulnerability requires privileged access (high privileges) and does not require user interaction, it indicates that an attacker or insider with elevated permissions could extract credentials from log files, potentially escalating their access or moving laterally within the environment. The CVSS 4.0 base score of 5.7 reflects a medium risk, with attack vector being adjacent network (AV:A), low attack complexity (AC:L), and privileges required being high (PR:H). The vulnerability impacts confidentiality significantly (VC:H), but does not affect integrity or availability. The scope is limited (SC:L), and no user interaction is needed. HP has addressed this issue in the latest software update (version 10.12.2 and later), but no known exploits are currently reported in the wild. The vulnerability highlights poor security hygiene in logging practices, where sensitive credentials are recorded in logs accessible to privileged users, increasing the risk of credential compromise if logs are accessed or exfiltrated.

CVE Database V5

Detailed information about CVE-2025-43485: CWE-532 Insertion of Sensitive Information into Log File in HP Inc. Poly Clariti Manager affecting HP Inc. Poly Clari

CVE-2025-43485: CWE-532 Insertion of Sensitive Information into Log File in HP Inc. Poly Clariti Manager - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-43485: CWE-532 Insertion of Sensitive Information into Log File in HP Inc. Poly Clariti Manager

A potential reflected cross-site scripting vulnerability has been
identified in the Poly Clariti Manager for versions prior to 10.12.1. The
website does not validate or sanitize the user input before rendering it in the
response. HP has addressed the issue in the latest software update.

CVE-2025-43484 is a reflected Cross-site Scripting (XSS) vulnerability identified in HP Inc.'s Poly Clariti Manager software versions prior to 10.12.1. The vulnerability arises due to improper neutralization of user input during web page generation, specifically a failure to validate or sanitize input before rendering it in HTTP responses. This allows an attacker to craft malicious URLs or input that, when processed by the vulnerable web interface, causes the injection and execution of arbitrary JavaScript code in the context of the victim's browser session. The vulnerability is classified under CWE-79, which covers improper input neutralization leading to XSS attacks. According to the CVSS 4.0 vector, the attack requires adjacent network access (AV:A), has low attack complexity (AC:L), does not require privileges (PR:N), and does not require user interaction (UI:N). However, it requires partial attack complexity (AT:P) and has high impact on confidentiality (VC:H) but no impact on integrity or availability. The scope is limited (SC:L), and there is no impact on integrity or availability. HP has addressed this vulnerability in version 10.12.1 of Poly Clariti Manager. No known exploits are reported in the wild as of the publication date. The vulnerability allows attackers to potentially steal sensitive information such as session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites, depending on the context of the injected script. Given the nature of reflected XSS, exploitation typically requires tricking users into clicking malicious links or visiting crafted web pages.

Detailed information about CVE-2025-43484: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in HP Inc. Poly Cl

CVE-2025-43484: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in HP Inc. Poly Clariti Manager - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-43484: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in HP Inc. Poly Clariti Manager

A potential security vulnerability has been
identified in the Poly Clariti Manager for versions prior to 10.12.1. The
vulnerability could allow the retrieval of hardcoded cryptographic keys. HP has
addressed the issue in the latest software update.

CVE-2025-43483 is a security vulnerability identified in HP Inc.'s Poly Clariti Manager software, specifically in versions prior to 10.12.1. The vulnerability is classified under CWE-321, which pertains to the use of hard-coded cryptographic keys within software. In this case, the Poly Clariti Manager contains embedded cryptographic keys that are hard-coded into the application code or configuration, making them retrievable by an attacker with access to the system or software binaries. Hard-coded keys undermine the security of cryptographic operations because they cannot be changed easily and if discovered, allow attackers to decrypt sensitive data or impersonate legitimate components. The vulnerability has a CVSS 4.0 base score of 5.9, indicating a medium severity level. The vector details show that the attack requires local or adjacent network access (AV:A), low attack complexity (AC:L), privileges (PR:L), and partial authentication (AT:P), but no user interaction (UI:N). The impact is primarily on confidentiality (VC:H), with no impact on integrity or availability. The scope is limited (SC:L), and there are no known exploits in the wild at the time of publication. HP has addressed this issue in the latest software update (version 10.12.1 and later), recommending users upgrade to mitigate the risk. The vulnerability could allow an attacker with some level of access to extract the hard-coded cryptographic keys, potentially enabling decryption of sensitive communications or data managed by the Poly Clariti Manager, which is used for managing unified communications and collaboration devices and services.

Detailed information about CVE-2025-43483: CWE-321: Use of Hard-coded Cryptographic Key in HP Inc. Poly Clariti Manager affecting HP Inc. Poly Clariti Manager. 

CVE-2025-43483: CWE-321: Use of Hard-coded Cryptographic Key in HP Inc. Poly Clariti Manager - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-43483: CWE-321: Use of Hard-coded Cryptographic Key in HP Inc. Poly Clariti Manager

HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8.

CVE-2025-54139 is a medium-severity vulnerability affecting haxtheweb's HAX CMS products, specifically haxcms-nodejs versions 11.0.12 and below and haxcms-php versions 11.0.7 and below. The vulnerability arises from the absence of HTTP headers that prevent the application’s pages from being embedded within iframes on other websites. This lack of frame-busting headers (such as X-Frame-Options or Content-Security-Policy frame-ancestors directives) allows an unauthenticated attacker to load sensitive pages, including the standalone login page, inside an iframe on a malicious site. This setup enables a UI redressing attack commonly known as clickjacking. In such attacks, users can be tricked via social engineering into interacting with the embedded iframe, potentially causing them to perform unintended actions within the HAX CMS environment without their knowledge. Since the vulnerability does not require authentication and can be exploited remotely, it poses a risk to user integrity by manipulating user interactions. The vulnerability has been addressed in haxcms-nodejs version 11.0.13 and haxcms-php version 11.0.8 by introducing appropriate headers to prevent iframe embedding. No known exploits are currently reported in the wild, but the vulnerability’s nature makes it a candidate for social engineering campaigns targeting CMS users.

Detailed information about CVE-2025-54139: CWE-1021: Improper Restriction of Rendered UI Layers or Frames in haxtheweb issues affecting haxtheweb issues. Get re

CVE-2025-54139: CWE-1021: Improper Restriction of Rendered UI Layers or Frames in haxtheweb issues - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-54139: CWE-1021: Improper Restriction of Rendered UI Layers or Frames in haxtheweb issues

A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could deserialize untrusted data without validation. HP has addressed the issue in the latest software update.

Detailed information about CVE-2025-43489: CWE-502 Deserialization of Untrusted Data in HP Inc. Poly Clariti Manager affecting HP Inc. Poly Clariti Manager. Get

CVE-2025-43489: CWE-502 Deserialization of Untrusted Data in HP Inc. Poly Clariti Manager

CVE-2025-43489: CWE-502 Deserialization of Untrusted Data in HP Inc. Poly Clariti Manager

Description

Technical Details

Related Threats

CVE-2025-43485: CWE-532 Insertion of Sensitive Information into Log File in HP Inc. Poly Clariti Manager

CVE-2025-43484: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in HP Inc. Poly Clariti Manager

CVE-2025-43483: CWE-321: Use of Hard-coded Cryptographic Key in HP Inc. Poly Clariti Manager

CVE-2025-54139: CWE-1021: Improper Restriction of Rendered UI Layers or Frames in haxtheweb issues

CVE-2025-43488: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in HP Inc. Poly Clariti Manager

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility