Security Vulnerabilities - CVEs Published In May 2025
Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password.
CVSS Score
10.0
EPSS Score
0.001
Published
2025-05-29
Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager
allows an authenticated user to gain unauthorized access to private personal information.
Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users.
This issue affects the following versions :
* Remote Desktop Manager Windows 2025.1.34.0 and earlier
*
Remote Desktop Manager macOS 2025.1.16.3 and earlier
*
Remote Desktop Manager Android 2025.1.3.3 and earlier
*
Remote Desktop Manager iOS 2025.1.6.0 and earlier
CVSS Score
7.5
EPSS Score
0.001
Published
2025-05-29
yasm commit 9defefae was discovered to contain a NULL pointer dereference via the yasm_section_bcs_append function at section.c.
CVSS Score
4.8
EPSS Score
0.0
Published
2025-05-29
tcpreplay v4.4.4 was discovered to contain an infinite loop via the tcprewrite function at get.c.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-05-29
HuoCMS V3.5.1 and before is vulnerable to file upload, which allows attackers to take control of the target server
CVSS Score
5.3
EPSS Score
0.001
Published
2025-05-29
HuoCMS V3.5.1 has a File Upload Vulnerability. An attacker can exploit this flaw to bypass whitelist restrictions and craft malicious files with specific suffixes, thereby gaining control of the server.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-05-29
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application performs insufficient validation of user-supplied data, which is used as arguments to string formatting functions. As a result, an attacker can pass a string containing special symbols (\r, \n, \t)to the application. This issue has been patched in version 1.8.178.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-05-29
Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2.
CVSS Score
4.9
EPSS Score
0.001
Published
2025-05-29
CVE-2025-27702 is a vulnerability in the management console of Absolute
Secure Access prior to version 13.54. Attackers with administrative
access to the console and who have been assigned a certain set of
permissions can bypass those permissions to improperly modify settings.
The attack complexity is low, there are no preexisting attack
requirements; the privileges required are high, and there is no user
interaction required. There is no impact to system confidentiality or
availability, impact to system integrity is high.
CVSS Score
4.9
EPSS Score
0.0
Published
2025-05-28
CVE-2025-27703 is a privilege escalation vulnerability in the management
console of Absolute Secure Access prior to version 13.54. Attackers
with administrative access to a specific subset of privileged features
in the console can elevate their permissions to access additional
features in the console. The attack complexity is low, there are no
preexisting attack requirements; the privileges required are high, and
there is no user interaction required. The impact to system
confidentiality is low, the impact to system integrity is high and the
impact to system availability is low.
CVSS Score
6.0
EPSS Score
0.0
Published
2025-05-28