Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-14714

Summary
Assigner-Document Fdn.
Assigner Org ID-4fe7d05b-1353-44cc-8b7a-1e416936dff2
Published At-15 Dec, 2025 | 10:30
Updated At-15 Dec, 2025 | 13:13
Rejected At-
Credits

TCC Bypass via Inherited Permissions in Bundled Interpreter

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Document Fdn.
Assigner Org ID:4fe7d05b-1353-44cc-8b7a-1e416936dff2
Published At:15 Dec, 2025 | 10:30
Updated At:15 Dec, 2025 | 13:13
Rejected At:
▼CVE Numbering Authority (CNA)
TCC Bypass via Inherited Permissions in Bundled Interpreter

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.

Affected Products
Vendor
The Document Foundation
Product
LibreOffice
Platforms
  • MacOS
Default Status
unknown
Versions
Affected
  • From 25.2 before < 25.2.4 (25.2 series)
Problem Types
TypeCWE IDDescription
CWECWE-288CWE-288 Authentication Bypass Using an Alternate Path or Channel
Type: CWE
CWE ID: CWE-288
Description: CWE-288 Authentication Bypass Using an Alternate Path or Channel
Metrics
VersionBase scoreBase severityVector
4.00.9LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U
Version: 4.0
Base score: 0.9
Base severity: LOW
Vector:
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-115CAPEC-115 Authentication Bypass
CAPEC ID: CAPEC-115
Description: CAPEC-115 Authentication Bypass
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Karol Mazurek of AFINE
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714
N/A
Hyperlink: https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@documentfoundation.org
Published At:15 Dec, 2025 | 11:15
Updated At:18 Feb, 2026 | 14:32

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.00.9LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.16.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 0.9
Base severity: LOW
Vector:
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CPE Matches
libreoffice
libreoffice
>>libreoffice>>Versions from 25.2.0.1(inclusive) to 25.2.4.1(exclusive)
cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
Apple Inc.
apple
>>macos>>-
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-288Secondarysecurity@documentfoundation.org
CWE ID: CWE-288
Type: Secondary
Source: security@documentfoundation.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714security@documentfoundation.org
Vendor Advisory
Hyperlink: https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714
Source: security@documentfoundation.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

12Records found
CVE-2026-20680
Matching Score-8
Assigner-Apple Inc.
ShareView Details
Matching Score-8
Assigner-Apple Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 1.71%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 22:58
Updated-18 Feb, 2026 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. A sandboxed app may be able to access sensitive user data.

Action-Not Available
Vendor-Apple Inc.
Product-ipadosmacosiphone_osmacOSiOS and iPadOS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2019-14220
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.15% / 78.14%
||
7 Day CHG~0.00%
Published-24 Sep, 2019 | 20:15
Updated-05 Aug, 2024 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows. BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on Windows or MacOS. Bug is in a local arbitrary file read through a system service call. The impacted method runs with System admin privilege and if given the file name as parameter returns you the content of file. A malicious app using the affected method can then read the content of any system file which it is not authorized to read

Action-Not Available
Vendor-bluestacksn/aApple Inc.Microsoft Corporation
Product-windowsbluestacksmacosn/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2018-6982
Matching Score-8
Assigner-VMware by Broadcom
ShareView Details
Matching Score-8
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 55.83%
||
7 Day CHG~0.00%
Published-04 Dec, 2018 | 14:00
Updated-05 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may lead to an information leak from host to guest.

Action-Not Available
Vendor-Apple Inc.VMware (Broadcom Inc.)
Product-workstationfusionesximac_os_xVMware ESXi
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2021-41995
Matching Score-6
Assigner-Ping Identity Corporation
ShareView Details
Matching Score-6
Assigner-Ping Identity Corporation
CVSS Score-7.7||HIGH
EPSS-0.25% / 47.70%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 19:25
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PingID Mac Login prior to 1.1 vulnerable to pre-computed dictionary attacks

A misconfiguration of RSA in PingID Mac Login prior to 1.1 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.

Action-Not Available
Vendor-Ping Identity Corp.Apple Inc.
Product-pingid_integration_for_mac_loginmacosPingID Mac Login
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-310
Not Available
CWE ID-CWE-287
Improper Authentication
CVE-2025-43436
Matching Score-6
Assigner-Apple Inc.
ShareView Details
Matching Score-6
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.04% / 11.54%
||
7 Day CHG~0.00%
Published-04 Nov, 2025 | 01:17
Updated-18 Dec, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, visionOS 26.1. An app may be able to enumerate a user's installed apps.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_osvisionoswatchosipadostvosiOS and iPadOSwatchOSvisionOStvOSmacOS
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2023-23503
Matching Score-6
Assigner-Apple Inc.
ShareView Details
Matching Score-6
Assigner-Apple Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.01% / 2.00%
||
7 Day CHG~0.00%
Published-27 Feb, 2023 | 00:00
Updated-12 Mar, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.2, iOS 16.3 and iPadOS 16.3, iOS 15.7.3 and iPadOS 15.7.3, tvOS 16.3, watchOS 9.3. An app may be able to bypass Privacy preferences.

Action-Not Available
Vendor-Apple Inc.
Product-tvosmacosiphone_osipadoswatchoswatchOSmacOStvOSiOS and iPadOS
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-24095
Matching Score-6
Assigner-Apple Inc.
ShareView Details
Matching Score-6
Assigner-Apple Inc.
CVSS Score-7.6||HIGH
EPSS-0.20% / 41.39%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 22:22
Updated-03 Nov, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 2.4, iOS 18.4 and iPadOS 18.4. An app may be able to bypass Privacy preferences.

Action-Not Available
Vendor-Apple Inc.
Product-ipadosvisionosiphone_osvisionOSiOS and iPadOS
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-24206
Matching Score-6
Assigner-Apple Inc.
ShareView Details
Matching Score-6
Assigner-Apple Inc.
CVSS Score-7.7||HIGH
EPSS-0.03% / 9.08%
||
7 Day CHG~0.00%
Published-29 Apr, 2025 | 02:05
Updated-02 Oct, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to bypass authentication policy.

Action-Not Available
Vendor-Apple Inc.
Product-ipadosiphone_osmacostvosvisionosiOS and iPadOSmacOSvisionOStvOSiPadOS
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-46286
Matching Score-6
Assigner-Apple Inc.
ShareView Details
Matching Score-6
Assigner-Apple Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.91%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 21:14
Updated-14 Jan, 2026 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_osipadosiOS and iPadOS
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-43422
Matching Score-6
Assigner-Apple Inc.
ShareView Details
Matching Score-6
Assigner-Apple Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.02% / 4.98%
||
7 Day CHG~0.00%
Published-04 Nov, 2025 | 01:16
Updated-01 Dec, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The issue was addressed by adding additional logic. This issue is fixed in iOS 26.1 and iPadOS 26.1. An attacker with physical access to a device may be able to disable Stolen Device Protection.

Action-Not Available
Vendor-Apple Inc.
Product-ipadosiphone_osiOS and iPadOS
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-12431
Matching Score-6
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-6
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 4.81%
||
7 Day CHG~0.00%
Published-10 Nov, 2025 | 20:00
Updated-13 Nov, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Inappropriate implementation in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: High)

Action-Not Available
Vendor-Linux Kernel Organization, IncApple Inc.Google LLCMicrosoft Corporation
Product-chromewindowsmacoslinux_kernelChrome
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-12445
Matching Score-6
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-6
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 4.81%
||
7 Day CHG~0.00%
Published-10 Nov, 2025 | 20:00
Updated-13 Nov, 2025 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)

Action-Not Available
Vendor-Linux Kernel Organization, IncApple Inc.Google LLCMicrosoft Corporation
Product-chromewindowsmacoslinux_kernelChrome
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
Details not found