Security Vulnerabilities - CVEs Published In May 2025
Tenda AC10 V1.0re_V15.03.06.46 is vulnerable to Buffer Overflow in the formSetPPTPUserList handler via the list POST parameter.
CVSS Score
9.8
EPSS Score
0.009
Published
2025-05-12
IBM 4769 Developers Toolkit 7.0.0 through 7.5.52 could allow a remote attacker to cause a denial of service in the Hardware Security Module (HSM) due to improper memory allocation of an excessive size.
CVSS Score
7.5
EPSS Score
0.003
Published
2025-05-12
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism.
CVSS Score
9.8
EPSS Score
0.045
Published
2025-05-12
EngineerCMS v1.02 through v.2.0.5 has a SQL injection vulnerability in the /project/addprojtemplet interface.
CVSS Score
9.8
EPSS Score
0.003
Published
2025-05-12
ARTEC EMA Mail 6.92 allows CSRF.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-05-12
Cross Site Scripting vulnerability in ARTEC EMA Mail v6.92 allows an attacker to execute arbitrary code via a crafted script.
CVSS Score
6.1
EPSS Score
0.002
Published
2025-05-12
sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability.
CVSS Score
3.3
EPSS Score
0.001
Published
2025-05-12
sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the `-U` flag. This vulnerability allows users with limited sudo privileges to enumerate the sudoers file, revealing sensitive information about other users' permissions. Attackers can collect information that can be used to more targeted attacks. Systems where users either do not have sudo privileges or have the ability to run all commands as root through sudo (the default configuration on most systems) are not affected by this advisory. Version 0.2.6 fixes the vulnerability.
CVSS Score
3.3
EPSS Score
0.001
Published
2025-05-12
Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code via a file upload.
CVSS Score
6.1
EPSS Score
0.002
Published
2025-05-12
An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-05-12