Security Vulnerabilities - CVEs Published In May 2025
Redis is an open source, in-memory database that persists on disk. In versions starting from 7.0.0 to before 8.0.2, a stack-based buffer overflow exists in redis-check-aof due to the use of memcpy with strlen(filepath) when copying a user-supplied file path into a fixed-size stack buffer. This allows an attacker to overflow the stack and potentially achieve code execution. This issue has been patched in version 8.0.2.
CVSS Score
4.7
EPSS Score
0.001
Published
2025-05-29
CVE-2025-27702 is a vulnerability in the management console of Absolute
Secure Access prior to version 13.54. Attackers with administrative
access to the console and who have been assigned a certain set of
permissions can bypass those permissions to improperly modify settings.
The attack complexity is low, there are no preexisting attack
requirements; the privileges required are high, and there is no user
interaction required. There is no impact to system confidentiality or
availability, impact to system integrity is high.
CVSS Score
4.9
EPSS Score
0.0
Published
2025-05-28
CVE-2025-27703 is a privilege escalation vulnerability in the management
console of Absolute Secure Access prior to version 13.54. Attackers
with administrative access to a specific subset of privileged features
in the console can elevate their permissions to access additional
features in the console. The attack complexity is low, there are no
preexisting attack requirements; the privileges required are high, and
there is no user interaction required. The impact to system
confidentiality is low, the impact to system integrity is high and the
impact to system availability is low.
CVSS Score
6.0
EPSS Score
0.0
Published
2025-05-28
CVE-2025-27706 is a cross-site scripting vulnerability in the management
console of Absolute Secure Access prior to version 13.54. Attackers
with system administrator permissions can interfere with another system
administrator’s use of the management console when the second
administrator visits the page. Attack complexity is low, there are no
preexisting attack requirements, privileges required are high and active
user interaction is required. There is no impact on confidentiality,
the impact on integrity is low and there is no impact on availability.
CVSS Score
3.4
EPSS Score
0.0
Published
2025-05-28
Netwrix Directory Manager v.11.0.0.0 and before & after v.11.1.25134.03 contains a hardcoded password.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-05-28
Netwrix Directory Manager (formerly Imanami GroupID) before and including v.11.0.0.0 and after v.11.1.25134.03 has Incorrect Permission Assignment for a Critical Resource.
CVSS Score
5.0
EPSS Score
0.0
Published
2025-05-28
Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive Information into Sent Data.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-05-28
Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-05-28
Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-05-28
Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-05-28