Security Vulnerabilities - CVEs Published In May 2025
An issue in wps office before v.19302 allows a local attacker to obtain sensitive information via a crafted file.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-05-14
An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-05-14
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Score
4.4
EPSS Score
0.0
Published
2025-05-14
IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-05-14
An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtectâ„¢ App on macOS devices enables a locally authenticated non administrative user to disable the app.
The GlobalProtect app on Windows, Linux, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.
CVSS Score
3.3
EPSS Score
0.0
Published
2025-05-14
A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic.
Since version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potential vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-14
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVSS Score
4.3
EPSS Score
0.0
Published
2025-05-14
Buffer over-read in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-05-14
Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-05-14
Time-of-check time-of-use race condition in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-05-14