Search criteria
18 vulnerabilities by Absolute Security
CVE-2025-59596 (GCVE-0-2025-59596)
Vulnerability from cvelistv5 – Published: 2025-11-04 22:51 – Updated: 2025-11-05 14:18
VLAI?
Summary
CVE-2025-59596 is a denial-of-service vulnerability in Secure Access
Windows client versions 12.0 to 14.10 that is addressed in version
14.12. If a local networking policy is active, attackers on an adjacent
network may be able to send a crafted packet and cause the client system
to crash.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
12.0 , < 14.12
(Client)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:17:06.819066Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T14:18:58.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "14.12",
"status": "affected",
"version": "12.0",
"versionType": "Client"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2025-59596 is a denial-of-service vulnerability in Secure Access \nWindows client versions 12.0 to 14.10 that is addressed in version \n14.12. If a local networking policy is active, attackers on an adjacent \nnetwork may be able to send a crafted packet and cause the client system\n to crash."
}
],
"value": "CVE-2025-59596 is a denial-of-service vulnerability in Secure Access \nWindows client versions 12.0 to 14.10 that is addressed in version \n14.12. If a local networking policy is active, attackers on an adjacent \nnetwork may be able to send a crafted packet and cause the client system\n to crash."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T22:51:39.048Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-59596"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-59596",
"datePublished": "2025-11-04T22:51:31.244Z",
"dateReserved": "2025-09-17T19:43:47.507Z",
"dateUpdated": "2025-11-05T14:18:58.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54089 (GCVE-0-2025-54089)
Vulnerability from cvelistv5 – Published: 2025-10-02 20:15 – Updated: 2025-10-03 14:59
VLAI?
Summary
CVE-2025-54089 is a cross-site scripting vulnerability in versions
of secure access prior to 14.10. Attackers with administrative access to the
console can interfere with another administrator’s access to the console. The
attack complexity is low; there are no attack requirements. Privileges required
to execute the attack are high and the victim must actively participate in the
attack sequence. There is no impact to confidentiality or availability, there
is a low impact to integrity.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 14.10
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-03T14:59:41.891024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T14:59:45.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "14.10",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54089 is a cross-site scripting vulnerability in versions\nof secure access prior to 14.10. Attackers with administrative access to the\nconsole can interfere with another administrator\u2019s access to the console. The\nattack complexity is low; there are no attack requirements. Privileges required\nto execute the attack are high and the victim must actively participate in the\nattack sequence. There is no impact to confidentiality or availability, there\nis a low impact to integrity.\u003c/p\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "CVE-2025-54089 is a cross-site scripting vulnerability in versions\nof secure access prior to 14.10. Attackers with administrative access to the\nconsole can interfere with another administrator\u2019s access to the console. The\nattack complexity is low; there are no attack requirements. Privileges required\nto execute the attack are high and the victim must actively participate in the\nattack sequence. There is no impact to confidentiality or availability, there\nis a low impact to integrity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T20:15:09.464Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54089"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability in Secure Access prior to 14.10",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54089",
"datePublished": "2025-10-02T20:15:09.464Z",
"dateReserved": "2025-07-16T17:10:03.453Z",
"dateUpdated": "2025-10-03T14:59:45.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54088 (GCVE-0-2025-54088)
Vulnerability from cvelistv5 – Published: 2025-10-02 20:10 – Updated: 2025-10-07 19:26
VLAI?
Summary
CVE-2025-54088 is an open-redirect vulnerability in Secure
Access prior to version 14.10. Attackers with access to the console can
redirect victims to an arbitrary URL. The attack complexity is low, attack
requirements are present, no privileges are required, and users must actively
participate in the attack. Impact to confidentiality is low and there is no
impact to integrity or availability. There are high severity impacts to
confidentiality, integrity, availability in subsequent systems.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < <14.10
(server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:26:12.951361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:26:28.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "\u003c14.10",
"status": "affected",
"version": "0",
"versionType": "server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54088 is an open-redirect vulnerability in Secure\nAccess prior to version 14.10. Attackers with access to the console can\nredirect victims to an arbitrary URL. The attack complexity is low, attack\nrequirements are present, no privileges are required, and users must actively\nparticipate in the attack. Impact to confidentiality is low and there is no\nimpact to integrity or availability. There are high severity impacts to\nconfidentiality, integrity, availability in subsequent systems.\u003c/p\u003e"
}
],
"value": "CVE-2025-54088 is an open-redirect vulnerability in Secure\nAccess prior to version 14.10. Attackers with access to the console can\nredirect victims to an arbitrary URL. The attack complexity is low, attack\nrequirements are present, no privileges are required, and users must actively\nparticipate in the attack. Impact to confidentiality is low and there is no\nimpact to integrity or availability. There are high severity impacts to\nconfidentiality, integrity, availability in subsequent systems."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T20:10:52.425Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54088"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Redirect in Secure Access prior to 14.10",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54088",
"datePublished": "2025-10-02T20:10:52.425Z",
"dateReserved": "2025-07-16T17:10:03.453Z",
"dateUpdated": "2025-10-07T19:26:28.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54087 (GCVE-0-2025-54087)
Vulnerability from cvelistv5 – Published: 2025-10-02 20:05 – Updated: 2025-10-07 19:27
VLAI?
Summary
CVE-2025-54087 is a server-side request forgery
vulnerability in Secure Access prior to version 14.10. Attackers with
administrative privileges can publish a crafted test HTTP request originating
from the Secure Access server. The attack complexity is high, there are no
attack requirements, and user interaction is required. There is no direct
impact to confidentiality, integrity, or availability. There is a low severity
subsequent system impact to integrity.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < <14.10
(server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:26:49.025936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:27:01.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Administrative Consile",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "\u003c14.10",
"status": "affected",
"version": "0",
"versionType": "server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54087 is a server-side request forgery\nvulnerability in Secure Access prior to version 14.10. Attackers with\nadministrative privileges can publish a crafted test HTTP request originating\nfrom the Secure Access server. The attack complexity is high, there are no\nattack requirements, and user interaction is required. There is no direct\nimpact to confidentiality, integrity, or availability. There is a low severity\nsubsequent system impact to integrity. \u003c/p\u003e"
}
],
"value": "CVE-2025-54087 is a server-side request forgery\nvulnerability in Secure Access prior to version 14.10. Attackers with\nadministrative privileges can publish a crafted test HTTP request originating\nfrom the Secure Access server. The attack complexity is high, there are no\nattack requirements, and user interaction is required. There is no direct\nimpact to confidentiality, integrity, or availability. There is a low severity\nsubsequent system impact to integrity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T20:05:38.092Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54087"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-side request forgery in Secure Access",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54087",
"datePublished": "2025-10-02T20:05:38.092Z",
"dateReserved": "2025-07-16T17:10:03.453Z",
"dateUpdated": "2025-10-07T19:27:01.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54086 (GCVE-0-2025-54086)
Vulnerability from cvelistv5 – Published: 2025-10-02 19:56 – Updated: 2025-10-06 18:35
VLAI?
Summary
CVE-2025-54086 is an excess permissions vulnerability in the
Warehouse component of Absolute Secure Access prior to version 14.10. Attackers
with access to the local file system can read the Java keystore file. The
attack complexity is low, there are no attack requirements, the privileges
required are low and no user interaction is required. Impact to confidentiality
is low, there is no impact to integrity or availability.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < <14.10
(server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54086",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:35:11.272236Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:35:14.588Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Warehouse",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "\u003c14.10",
"status": "affected",
"version": "0",
"versionType": "server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54086 is an excess permissions vulnerability in the\nWarehouse component of Absolute Secure Access prior to version 14.10. Attackers\nwith access to the local file system can read the Java keystore file. The\nattack complexity is low, there are no attack requirements, the privileges\nrequired are low and no user interaction is required. Impact to confidentiality\nis low, there is no impact to integrity or availability. \u003c/p\u003e"
}
],
"value": "CVE-2025-54086 is an excess permissions vulnerability in the\nWarehouse component of Absolute Secure Access prior to version 14.10. Attackers\nwith access to the local file system can read the Java keystore file. The\nattack complexity is low, there are no attack requirements, the privileges\nrequired are low and no user interaction is required. Impact to confidentiality\nis low, there is no impact to integrity or availability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T19:56:37.373Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54086"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Excess Permissions in Warehouse",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54086",
"datePublished": "2025-10-02T19:56:37.373Z",
"dateReserved": "2025-07-16T17:10:03.453Z",
"dateUpdated": "2025-10-06T18:35:14.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49082 (GCVE-0-2025-49082)
Vulnerability from cvelistv5 – Published: 2025-07-30 23:45 – Updated: 2025-07-31 13:30
VLAI?
Summary
CVE-2025-49082 is a vulnerability in the management console
of Absolute Secure Access prior to version 13.56. Attackers with administrative
access to the console and who have been assigned a certain set of permissions
can bypass those permissions to improperly read other settings. The attack
complexity is low, there are no preexisting attack requirements; the privileges
required are high, and there is no user interaction required. The impact to
system confidentiality is low, there is no impact to system availability or
integrity.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.56
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:28:59.442075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T13:30:00.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Administrative Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.56",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-49082 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess to the console and who have been assigned a certain set of permissions\ncan bypass those permissions to improperly read other settings. The attack\ncomplexity is low, there are no preexisting attack requirements; the privileges\nrequired are high, and there is no user interaction required. The impact to\nsystem confidentiality is low, there is no impact to system availability or\nintegrity. \u003c/p\u003e"
}
],
"value": "CVE-2025-49082 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess to the console and who have been assigned a certain set of permissions\ncan bypass those permissions to improperly read other settings. The attack\ncomplexity is low, there are no preexisting attack requirements; the privileges\nrequired are high, and there is no user interaction required. The impact to\nsystem confidentiality is low, there is no impact to system availability or\nintegrity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T23:45:30.677Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49082"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Permissions bypass vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-49082",
"datePublished": "2025-07-30T23:45:30.677Z",
"dateReserved": "2025-05-30T18:23:44.238Z",
"dateUpdated": "2025-07-31T13:30:00.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54085 (GCVE-0-2025-54085)
Vulnerability from cvelistv5 – Published: 2025-07-30 23:40 – Updated: 2025-07-31 13:31
VLAI?
Summary
CVE-2025-54085 is a vulnerability in the management console
of Absolute Secure Access prior to version 13.56. Attackers with administrative
access to the console and who have been assigned a certain set of permissions
can bypass those permissions to improperly read or change other settings. The
attack complexity is low, there are no preexisting attack requirements; the
privileges required are high, and there is no user interaction required. The
impact to system confidentiality and integrity is low, there is no impact to
system availability.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.56
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:30:40.243410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T13:31:58.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Administrative Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.56",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54085 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess to the console and who have been assigned a certain set of permissions\ncan bypass those permissions to improperly read or change other settings. The\nattack complexity is low, there are no preexisting attack requirements; the\nprivileges required are high, and there is no user interaction required. The\nimpact to system confidentiality and integrity is low, there is no impact to\nsystem availability. \u003c/p\u003e"
}
],
"value": "CVE-2025-54085 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess to the console and who have been assigned a certain set of permissions\ncan bypass those permissions to improperly read or change other settings. The\nattack complexity is low, there are no preexisting attack requirements; the\nprivileges required are high, and there is no user interaction required. The\nimpact to system confidentiality and integrity is low, there is no impact to\nsystem availability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T23:40:28.441Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54085"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Elevation of privilege vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54085",
"datePublished": "2025-07-30T23:40:28.441Z",
"dateReserved": "2025-07-16T17:10:03.452Z",
"dateUpdated": "2025-07-31T13:31:58.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49083 (GCVE-0-2025-49083)
Vulnerability from cvelistv5 – Published: 2025-07-30 23:30 – Updated: 2025-07-31 13:37
VLAI?
Summary
CVE-2025-49083 is a vulnerability in the management console
of Absolute Secure Access after version 12.00 and prior to version 13.56.
Attackers with administrative access to the console can cause unsafe content to
be deserialized and executed in the security context of the console. The attack
complexity is low and there are no attack requirements. Privileges required are
high and there is no user interaction required. The impact to confidentiality
is low, impact to integrity is high and there is no impact to availability. The
impact to the confidentiality and integrity of subsequent systems is low and
there is no subsequent system impact to availability.
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
12.00 , < 13.56
(Server Version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:35:20.525138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T13:37:21.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.56",
"status": "affected",
"version": "12.00",
"versionType": "Server Version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-49083 is a vulnerability in the management console\nof Absolute Secure Access after version 12.00 and prior to version 13.56.\nAttackers with administrative access to the console can cause unsafe content to\nbe deserialized and executed in the security context of the console. The attack\ncomplexity is low and there are no attack requirements. Privileges required are\nhigh and there is no user interaction required. The impact to confidentiality\nis low, impact to integrity is high and there is no impact to availability. The\nimpact to the confidentiality and integrity of subsequent systems is low and\nthere is no subsequent system impact to availability. \u003c/p\u003e"
}
],
"value": "CVE-2025-49083 is a vulnerability in the management console\nof Absolute Secure Access after version 12.00 and prior to version 13.56.\nAttackers with administrative access to the console can cause unsafe content to\nbe deserialized and executed in the security context of the console. The attack\ncomplexity is low and there are no attack requirements. Privileges required are\nhigh and there is no user interaction required. The impact to confidentiality\nis low, impact to integrity is high and there is no impact to availability. The\nimpact to the confidentiality and integrity of subsequent systems is low and\nthere is no subsequent system impact to availability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T23:30:52.664Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49083"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Data deserialization vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-49083",
"datePublished": "2025-07-30T23:30:52.664Z",
"dateReserved": "2025-05-30T18:23:44.238Z",
"dateUpdated": "2025-07-31T13:37:21.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49081 (GCVE-0-2025-49081)
Vulnerability from cvelistv5 – Published: 2025-06-12 17:25 – Updated: 2025-06-12 17:59
VLAI?
Summary
There is an insufficient input validation vulnerability in the warehouse
component of Absolute Secure Access prior to server version 13.55. Attackers
with system administrator permissions can impair the availability of the Secure
Access administrative UI by writing invalid data to the warehouse over the
network. The attack complexity is low, there are no attack requirements,
privileges required are high, and there is no user interaction required. There
is no impact on confidentiality or integrity; the impact on availability is
high.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.55
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T17:58:19.597138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T17:59:46.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Warehouse",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.55",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is an insufficient input validation vulnerability in the warehouse\ncomponent of Absolute Secure Access prior to server version 13.55. Attackers\nwith system administrator permissions can impair the availability of the Secure\nAccess administrative UI by writing invalid data to the warehouse over the\nnetwork. The attack complexity is low, there are no attack requirements,\nprivileges required are high, and there is no user interaction required. There\nis no impact on confidentiality or integrity; the impact on availability is\nhigh.\u003c/p\u003e"
}
],
"value": "There is an insufficient input validation vulnerability in the warehouse\ncomponent of Absolute Secure Access prior to server version 13.55. Attackers\nwith system administrator permissions can impair the availability of the Secure\nAccess administrative UI by writing invalid data to the warehouse over the\nnetwork. The attack complexity is low, there are no attack requirements,\nprivileges required are high, and there is no user interaction required. There\nis no impact on confidentiality or integrity; the impact on availability is\nhigh."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T17:25:47.812Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49081"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Input validation vulnerability in the Secure Access prior to version 13.55",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-49081",
"datePublished": "2025-06-12T17:25:47.812Z",
"dateReserved": "2025-05-30T18:23:44.238Z",
"dateUpdated": "2025-06-12T17:59:46.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49080 (GCVE-0-2025-49080)
Vulnerability from cvelistv5 – Published: 2025-06-12 17:08 – Updated: 2025-06-17 18:17
VLAI?
Summary
There is a memory management vulnerability in Absolute
Secure Access server versions 9.0 to 13.54. Attackers with network access to
the server can cause a Denial of Service by sending a specially crafted
sequence of packets to the server. The attack complexity is low, there are no
attack requirements, privileges, or user interaction required. Loss of
availability is high; there is no impact on confidentiality or integrity.
Severity ?
CWE
- CWE-762 - Mismatched Memory Management Routines
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
9.0 , < 13.54
(Server Version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T17:12:45.895406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-762",
"description": "CWE-762 Mismatched Memory Management Routines",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T18:17:08.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Secure Access Server",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.54",
"status": "affected",
"version": "9.0",
"versionType": "Server Version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is a memory management vulnerability in Absolute\nSecure Access server versions 9.0 to 13.54. Attackers with network access to\nthe server can cause a Denial of Service by sending a specially crafted\nsequence of packets to the server. The attack complexity is low, there are no\nattack requirements, privileges, or user interaction required. Loss of\navailability is high; there is no impact on confidentiality or integrity.\u003c/p\u003e"
}
],
"value": "There is a memory management vulnerability in Absolute\nSecure Access server versions 9.0 to 13.54. Attackers with network access to\nthe server can cause a Denial of Service by sending a specially crafted\nsequence of packets to the server. The attack complexity is low, there are no\nattack requirements, privileges, or user interaction required. Loss of\navailability is high; there is no impact on confidentiality or integrity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T17:08:50.086Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49080"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory management vulnerability in Absolute Secure Access server versions 9.0 to 13.54",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-49080",
"datePublished": "2025-06-12T17:08:50.086Z",
"dateReserved": "2025-05-30T18:23:44.238Z",
"dateUpdated": "2025-06-17T18:17:08.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27706 (GCVE-0-2025-27706)
Vulnerability from cvelistv5 – Published: 2025-05-28 21:01 – Updated: 2025-05-28 23:55
VLAI?
Summary
CVE-2025-27706 is a cross-site scripting vulnerability in the management
console of Absolute Secure Access prior to version 13.54. Attackers
with system administrator permissions can interfere with another system
administrator’s use of the management console when the second
administrator visits the page. Attack complexity is low, there are no
preexisting attack requirements, privileges required are high and active
user interaction is required. There is no impact on confidentiality,
the impact on integrity is low and there is no impact on availability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.54
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T23:54:24.614310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T23:55:03.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Management Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.54",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2025-27706 is a cross-site scripting vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith system administrator permissions can interfere with another system \nadministrator\u2019s use of the management console when the second \nadministrator visits the page. Attack complexity is low, there are no \npreexisting attack requirements, privileges required are high and active\n user interaction is required. There is no impact on confidentiality, \nthe impact on integrity is low and there is no impact on availability."
}
],
"value": "CVE-2025-27706 is a cross-site scripting vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith system administrator permissions can interfere with another system \nadministrator\u2019s use of the management console when the second \nadministrator visits the page. Attack complexity is low, there are no \npreexisting attack requirements, privileges required are high and active\n user interaction is required. There is no impact on confidentiality, \nthe impact on integrity is low and there is no impact on availability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T21:01:08.548Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2025-27706"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.54",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-27706",
"datePublished": "2025-05-28T21:01:08.548Z",
"dateReserved": "2025-03-05T23:12:09.705Z",
"dateUpdated": "2025-05-28T23:55:03.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27703 (GCVE-0-2025-27703)
Vulnerability from cvelistv5 – Published: 2025-05-28 20:56 – Updated: 2025-05-28 23:57
VLAI?
Summary
CVE-2025-27703 is a privilege escalation vulnerability in the management
console of Absolute Secure Access prior to version 13.54. Attackers
with administrative access to a specific subset of privileged features
in the console can elevate their permissions to access additional
features in the console. The attack complexity is low, there are no
preexisting attack requirements; the privileges required are high, and
there is no user interaction required. The impact to system
confidentiality is low, the impact to system integrity is high and the
impact to system availability is low.
Severity ?
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.54
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T23:55:37.117764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T23:57:51.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Administrative Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.54",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2025-27703 is a privilege escalation vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith administrative access to a specific subset of privileged features \nin the console can elevate their permissions to access additional \nfeatures in the console. The attack complexity is low, there are no \npreexisting attack requirements; the privileges required are high, and \nthere is no user interaction required. The impact to system \nconfidentiality is low, the impact to system integrity is high and the \nimpact to system availability is low."
}
],
"value": "CVE-2025-27703 is a privilege escalation vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith administrative access to a specific subset of privileged features \nin the console can elevate their permissions to access additional \nfeatures in the console. The attack complexity is low, there are no \npreexisting attack requirements; the privileges required are high, and \nthere is no user interaction required. The impact to system \nconfidentiality is low, the impact to system integrity is high and the \nimpact to system availability is low."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T20:56:53.459Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2025-27703"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Privilege escalation in the management console of Absolute Secure Access prior to version 13.54",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-27703",
"datePublished": "2025-05-28T20:56:53.459Z",
"dateReserved": "2025-03-05T23:12:09.704Z",
"dateUpdated": "2025-05-28T23:57:51.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27702 (GCVE-0-2025-27702)
Vulnerability from cvelistv5 – Published: 2025-05-28 20:42 – Updated: 2025-05-28 23:54
VLAI?
Summary
CVE-2025-27702 is a vulnerability in the management console of Absolute
Secure Access prior to version 13.54. Attackers with administrative
access to the console and who have been assigned a certain set of
permissions can bypass those permissions to improperly modify settings.
The attack complexity is low, there are no preexisting attack
requirements; the privileges required are high, and there is no user
interaction required. There is no impact to system confidentiality or
availability, impact to system integrity is high.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.54
(Server Version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T23:49:57.998713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T23:54:02.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Management Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.54",
"status": "affected",
"version": "0",
"versionType": "Server Version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2025-27702 is a vulnerability in the management console of Absolute \nSecure Access prior to version 13.54. Attackers with administrative \naccess to the console and who have been assigned a certain set of \npermissions can bypass those permissions to improperly modify settings. \nThe attack complexity is low, there are no preexisting attack \nrequirements; the privileges required are high, and there is no user \ninteraction required. There is no impact to system confidentiality or \navailability, impact to system integrity is high."
}
],
"value": "CVE-2025-27702 is a vulnerability in the management console of Absolute \nSecure Access prior to version 13.54. Attackers with administrative \naccess to the console and who have been assigned a certain set of \npermissions can bypass those permissions to improperly modify settings. \nThe attack complexity is low, there are no preexisting attack \nrequirements; the privileges required are high, and there is no user \ninteraction required. There is no impact to system confidentiality or \navailability, impact to system integrity is high."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T20:42:34.657Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2025-27702"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Permissions bypass in the management console of Absolute Secure Access prior to version 13.54",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-27702",
"datePublished": "2025-05-28T20:42:34.657Z",
"dateReserved": "2025-03-05T23:12:09.704Z",
"dateUpdated": "2025-05-28T23:54:02.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6364 (GCVE-0-2024-6364)
Vulnerability from cvelistv5 – Published: 2025-05-13 17:00 – Updated: 2025-05-13 17:37
VLAI?
Summary
A vulnerability in Absolute Persistence® versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Absolute Persistence |
Affected:
0 , < 2.8
(Absolute Persistence)
|
Credits
Denis Faiustov, GMO Cybersecurity by Ierae
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6364",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T17:37:41.294539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T17:37:58.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Absolute Persistence",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "0",
"versionType": "Absolute Persistence"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Denis Faiustov, GMO Cybersecurity by Ierae"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(248, 248, 248);\"\u003eA vulnerability in Absolute Persistence\u00ae versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below.\u003c/span\u003e"
}
],
"value": "A vulnerability in Absolute Persistence\u00ae versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "PHYSICAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T17:22:47.858Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2024-6364"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server Identity Validation Bypass in Absolute Persistence\u00ae",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2024-6364",
"datePublished": "2025-05-13T17:00:07.443Z",
"dateReserved": "2024-06-26T22:42:45.308Z",
"dateUpdated": "2025-05-13T17:37:58.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27705 (GCVE-0-2025-27705)
Vulnerability from cvelistv5 – Published: 2025-03-19 19:15 – Updated: 2025-03-19 20:06
VLAI?
Summary
There is a cross-site scripting vulnerability in the Secure
Access administrative console of Absolute Secure Access prior to version 13.53.
Attackers with system administrator permissions can interfere with another
system administrator’s use of the management console when the second
administrator logs in. Attack complexity is high, attack requirements are
present, privileges required are none, user interaction is required. The impact
to confidentiality is low, the impact to availability is none, and the impact
to system integrity is none.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , ≤ 13.52
(Server version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T20:06:22.201624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T20:06:42.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThanOrEqual": "13.52",
"status": "affected",
"version": "0",
"versionType": "Server version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is a cross-site scripting vulnerability in the Secure\nAccess administrative console of Absolute Secure Access prior to version 13.53.\nAttackers with system administrator permissions can interfere with another\nsystem administrator\u2019s use of the management console when the second\nadministrator logs in. Attack complexity is high, attack requirements are\npresent, privileges required are none, user interaction is required. The impact\nto confidentiality is low, the impact to availability is none, and the impact\nto system integrity is none.\u003c/p\u003e"
}
],
"value": "There is a cross-site scripting vulnerability in the Secure\nAccess administrative console of Absolute Secure Access prior to version 13.53.\nAttackers with system administrator permissions can interfere with another\nsystem administrator\u2019s use of the management console when the second\nadministrator logs in. Attack complexity is high, attack requirements are\npresent, privileges required are none, user interaction is required. The impact\nto confidentiality is low, the impact to availability is none, and the impact\nto system integrity is none."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:15:08.265Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1353/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to server version 13.53"
}
],
"value": "Upgrade to server version 13.53"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-27705",
"datePublished": "2025-03-19T19:15:08.265Z",
"dateReserved": "2025-03-05T23:12:09.705Z",
"dateUpdated": "2025-03-19T20:06:42.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27704 (GCVE-0-2025-27704)
Vulnerability from cvelistv5 – Published: 2025-03-19 19:08 – Updated: 2025-04-03 13:06
VLAI?
Summary
There is a cross-site scripting vulnerability in the Secure
Access administrative console of Absolute Secure Access prior to version 13.53.
Attackers with system administrator permissions can interfere with another
system administrator’s use of the management console when the second
administrator logs in. Attack complexity is high, attack requirements are
present, privileges required are none, user interaction is required. The impact
to confidentiality is low, the impact to availability is none, and the impact
to system integrity is none.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , ≤ 13.52
(Server version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T20:08:05.991183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T13:06:17.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThanOrEqual": "13.52",
"status": "affected",
"version": "0",
"versionType": "Server version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is a cross-site scripting vulnerability in the Secure\nAccess administrative console of Absolute Secure Access prior to version 13.53.\nAttackers with system administrator permissions can interfere with another\nsystem administrator\u2019s use of the management console when the second\nadministrator logs in. Attack complexity is high, attack requirements are\npresent, privileges required are none, user interaction is required. The impact\nto confidentiality is low, the impact to availability is none, and the impact\nto system integrity is none.\u003c/p\u003e"
}
],
"value": "There is a cross-site scripting vulnerability in the Secure\nAccess administrative console of Absolute Secure Access prior to version 13.53.\nAttackers with system administrator permissions can interfere with another\nsystem administrator\u2019s use of the management console when the second\nadministrator logs in. Attack complexity is high, attack requirements are\npresent, privileges required are none, user interaction is required. The impact\nto confidentiality is low, the impact to availability is none, and the impact\nto system integrity is none."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T20:29:26.495Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1353/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-27704",
"datePublished": "2025-03-19T19:08:26.262Z",
"dateReserved": "2025-03-05T23:12:09.705Z",
"dateUpdated": "2025-04-03T13:06:17.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40873 (GCVE-0-2024-40873)
Vulnerability from cvelistv5 – Published: 2024-07-25 17:19 – Updated: 2024-08-02 04:39
VLAI?
Summary
There is a cross-site scripting vulnerability in the Secure
Access administrative console of Absolute Secure Access prior to version 13.07.
Attackers with system administrator permissions can interfere with another
system administrator’s use of the publishing UI when the administrators are
editing the same management object. The scope is unchanged, there is no loss of
confidentiality. Impact to system availability is none, impact to system
integrity is high.
Severity ?
4.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.07
(server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T17:44:12.839094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T17:44:19.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:55.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1307/cve-2024-40873/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.07",
"status": "affected",
"version": "0",
"versionType": "server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a cross-site scripting vulnerability in the Secure\nAccess administrative console of Absolute Secure Access prior to version 13.07.\nAttackers with system administrator permissions can interfere with another\nsystem administrator\u2019s use of the publishing UI when the administrators are\nediting the same management object. The scope is unchanged, there is no loss of\nconfidentiality. Impact to system availability is none, impact to system\nintegrity is high."
}
],
"value": "There is a cross-site scripting vulnerability in the Secure\nAccess administrative console of Absolute Secure Access prior to version 13.07.\nAttackers with system administrator permissions can interfere with another\nsystem administrator\u2019s use of the publishing UI when the administrators are\nediting the same management object. The scope is unchanged, there is no loss of\nconfidentiality. Impact to system availability is none, impact to system\nintegrity is high."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T17:19:28.906Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1307/cve-2024-40873/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS in Secure Access administrative console",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2024-40873",
"datePublished": "2024-07-25T17:19:28.906Z",
"dateReserved": "2024-07-10T20:40:17.120Z",
"dateUpdated": "2024-08-02T04:39:55.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40872 (GCVE-0-2024-40872)
Vulnerability from cvelistv5 – Published: 2024-07-25 17:00 – Updated: 2024-08-02 04:39
VLAI?
Summary
There is an elevation of privilege vulnerability in server
and client components of Absolute Secure Access prior to version 13.07.
Attackers with local access and valid desktop user credentials can elevate
their privilege to system level by passing invalid address data to the vulnerable
component. This could be used to
manipulate process tokens to elevate the privilege of a normal process to
System. The scope is changed, the impact to system confidentiality and
integrity is high, the impact to the availability of the effected component is
none.
Severity ?
8.4 (High)
CWE
- CWE-822 - Untrusted Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.07
(Client and server)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "secure_access",
"vendor": "absolute",
"versions": [
{
"lessThan": "13.07",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T13:50:11.226191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T13:51:51.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:55.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1307/cve-2024-40872/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Client and Server",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.07",
"status": "affected",
"version": "0",
"versionType": "Client and server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is an elevation of privilege vulnerability in server\nand client components of Absolute Secure Access prior to version 13.07.\nAttackers with local access and valid desktop user credentials can elevate\ntheir privilege to system level by passing invalid address data to the vulnerable\ncomponent. This could be used to\nmanipulate process tokens to elevate the privilege of a normal process to\nSystem. The scope is changed, the impact to system confidentiality and\nintegrity is high, the impact to the availability of the effected component is\nnone. \u003c/p\u003e"
}
],
"value": "There is an elevation of privilege vulnerability in server\nand client components of Absolute Secure Access prior to version 13.07.\nAttackers with local access and valid desktop user credentials can elevate\ntheir privilege to system level by passing invalid address data to the vulnerable\ncomponent. This could be used to\nmanipulate process tokens to elevate the privilege of a normal process to\nSystem. The scope is changed, the impact to system confidentiality and\nintegrity is high, the impact to the availability of the effected component is\nnone."
}
],
"impacts": [
{
"capecId": "CAPEC-69",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-69 Target Programs with Elevated Privileges"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-822",
"description": "CWE-822 Untrusted Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T17:00:38.151Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1307/cve-2024-40872/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Elevation of privilege in Absolute Secure Access clients and servers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2024-40872",
"datePublished": "2024-07-25T17:00:38.151Z",
"dateReserved": "2024-07-10T20:40:17.120Z",
"dateUpdated": "2024-08-02T04:39:55.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}