Security Vulnerabilities - CVEs Published In May 2025
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have access to the mailbox, then after disabling (enabling) notifications for this mailbox, the user will gain access to it. This issue has been patched in version 1.8.179.
CVSS Score
8.1
EPSS Score
0.0
Published
2025-05-29
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-05-29
Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password.
CVSS Score
10.0
EPSS Score
0.001
Published
2025-05-29
A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-05-29
Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager
allows an authenticated user to gain unauthorized access to private personal information.
Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users.
This issue affects the following versions :
* Remote Desktop Manager Windows 2025.1.34.0 and earlier
*
Remote Desktop Manager macOS 2025.1.16.3 and earlier
*
Remote Desktop Manager Android 2025.1.3.3 and earlier
*
Remote Desktop Manager iOS 2025.1.6.0 and earlier
CVSS Score
7.5
EPSS Score
0.001
Published
2025-05-29
yasm commit 9defefae was discovered to contain a NULL pointer dereference via the yasm_section_bcs_append function at section.c.
CVSS Score
4.8
EPSS Score
0.0
Published
2025-05-29
tcpreplay v4.4.4 was discovered to contain an infinite loop via the tcprewrite function at get.c.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-05-29
HuoCMS V3.5.1 and before is vulnerable to file upload, which allows attackers to take control of the target server
CVSS Score
5.3
EPSS Score
0.001
Published
2025-05-29
HuoCMS V3.5.1 has a File Upload Vulnerability. An attacker can exploit this flaw to bypass whitelist restrictions and craft malicious files with specific suffixes, thereby gaining control of the server.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-05-29
In the Linux kernel, the following vulnerability has been resolved:
module: ensure that kobject_put() is safe for module type kobjects
In 'lookup_or_create_module_kobject()', an internal kobject is created
using 'module_ktype'. So call to 'kobject_put()' on error handling
path causes an attempt to use an uninitialized completion pointer in
'module_kobject_release()'. In this scenario, we just want to release
kobject without an extra synchronization required for a regular module
unloading process, so adding an extra check whether 'complete()' is
actually required makes 'kobject_put()' safe.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-05-29