How severe is CVE-2025-4280?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-4280?

This is classified as CWE-276, which is a common weakness in software security.

CVE-2025-4280 - MEDIUM Severity | CVSS N/A

Vulnerability Description

MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Poedit, potentially disguising attacker's malicious intent. This issue has been fixed in 3.6.3 version of Poedit.

Related Vulnerabilities

CVE-2020-10279

CRITICAL

CVSS:10.0(Critical)

MiR robot controllers (central computation unit) makes use of Ubuntu 16.04.2 an operating system, Thought for desktop uses, this operating system presents insecure defaults for robots. These insecurit...

CWE-2762020

CVE-2020-29492

CRITICAL

CVSS:10.0(Critical)

Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable f...

CWE-2762020

CVE-2022-42150

CRITICAL

CVSS:10.0(Critical)

TinyLab linux-lab v1.1-rc1 and cloud-labv0.8-rc2, v1.1-rc1 are vulnerable to insecure permissions. The default configuration could cause Container Escape.

CWE-2762022

CVE-2023-29131

CRITICAL

CVSS:10.0(Critical)

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V2.5). Affected device consists of an incorrect default value in the SSH configuration. This could allow an attacker to bypass ne...

CWE-2762023

CVE-2019-19896

CRITICAL

CVSS:9.9(Critical)

In IXP EasyInstall 6.2.13723, there is Remote Code Execution via weak permissions on the Engine Service share. The default file permissions of the IXP$ share on the server allows modification of direc...

CWE-2762019

CVE-2020-9408

CRITICAL

CVSS:9.9(Critical)

The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker w...

CWE-2762020