Publish Advisories

GHSA-2rm4-674c-43v5
GHSA-33vr-hv7f-mv36
GHSA-4chx-3xpf-9pfj
GHSA-5f3x-cpqc-wr99
GHSA-5jph-4x8h-wx83
GHSA-5mr4-m32g-vmwq
GHSA-68h7-pm4h-c96m
GHSA-8c9w-7999-9v62
GHSA-99cp-q7mc-52c4
GHSA-cm35-q368-98g3
GHSA-g39h-563w-fg8c
GHSA-mj5c-c9mm-83jf
GHSA-p754-x56h-5ffr
GHSA-q963-9rqv-mq7m

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-2rm4-674c-43v5/GHSA-2rm4-674c-43v5.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2rm4-674c-43v5",
-  "modified": "2025-11-10T21:30:36Z",
+  "modified": "2025-11-11T00:30:20Z",
   "published": "2025-11-10T21:30:36Z",
   "aliases": [
     "CVE-2025-12728"
   ],
   "details": "Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-451"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-11-10T20:15:39Z"

advisories/unreviewed/2025/11/GHSA-33vr-hv7f-mv36/GHSA-33vr-hv7f-mv36.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-33vr-hv7f-mv36",
+  "modified": "2025-11-11T00:30:21Z",
+  "published": "2025-11-11T00:30:21Z",
+  "aliases": [
+    "CVE-2025-63678"
+  ],
+  "details": "An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63678"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kasiasok/raports/blob/main/CMSMS%202.2.22%20_%20Raport%20092025.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T23:15:41Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-4chx-3xpf-9pfj/GHSA-4chx-3xpf-9pfj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4chx-3xpf-9pfj",
-  "modified": "2025-11-10T21:30:36Z",
+  "modified": "2025-11-11T00:30:20Z",
   "published": "2025-11-10T21:30:36Z",
   "aliases": [
     "CVE-2025-12725"
   ],
   "details": "Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -27,7 +32,7 @@
     "cwe_ids": [
       "CWE-125"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-11-10T20:15:39Z"

advisories/unreviewed/2025/11/GHSA-5f3x-cpqc-wr99/GHSA-5f3x-cpqc-wr99.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5f3x-cpqc-wr99",
+  "modified": "2025-11-11T00:30:21Z",
+  "published": "2025-11-11T00:30:21Z",
+  "aliases": [
+    "CVE-2018-25124"
+  ],
+  "details": "PacsOne Server version 6.6.2 (prior versions are likely affected) contains a directory traversal vulnerability within the web-based DICOM viewer component. Successful exploitation allows a remote unauthenticated attacker to read arbitrary files via the 'nocache.php' endpoint with a crafted 'path' parameter. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25124"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pacsone.net/download.htm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/43907"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/pacsone-server-dicom-web-viewer-directory-traversal-lfi"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T23:15:39Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-5jph-4x8h-wx83/GHSA-5jph-4x8h-wx83.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5jph-4x8h-wx83",
-  "modified": "2025-11-10T21:30:35Z",
+  "modified": "2025-11-11T00:30:20Z",
   "published": "2025-11-10T21:30:35Z",
   "aliases": [
     "CVE-2025-12443"
   ],
   "details": "Out of bounds read in WebXR in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -27,7 +32,7 @@
     "cwe_ids": [
       "CWE-125"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-11-10T20:15:39Z"

advisories/unreviewed/2025/11/GHSA-5mr4-m32g-vmwq/GHSA-5mr4-m32g-vmwq.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5mr4-m32g-vmwq",
+  "modified": "2025-11-11T00:30:20Z",
+  "published": "2025-11-11T00:30:20Z",
+  "aliases": [
+    "CVE-2025-63397"
+  ],
+  "details": "Improper input validation in OneFlow v0.9.0 allows attackers to cause a segmentation fault via adding a Python sequence to the native code during broadcasting/type conversion.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63397"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Oneflow-Inc/oneflow/issues/10666"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Daisy2ang"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Oneflow-Inc/oneflow"
+    },
+    {
+      "type": "WEB",
+      "url": "http://oneflow.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T22:15:36Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-68h7-pm4h-c96m/GHSA-68h7-pm4h-c96m.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-68h7-pm4h-c96m",
-  "modified": "2025-11-10T21:30:35Z",
+  "modified": "2025-11-11T00:30:20Z",
   "published": "2025-11-10T21:30:35Z",
   "aliases": [
     "CVE-2025-12433"
   ],
   "details": "Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -25,7 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-11-10T20:15:37Z"

advisories/unreviewed/2025/11/GHSA-8c9w-7999-9v62/GHSA-8c9w-7999-9v62.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8c9w-7999-9v62",
+  "modified": "2025-11-11T00:30:21Z",
+  "published": "2025-11-11T00:30:21Z",
+  "aliases": [
+    "CVE-2025-12542"
+  ],
+  "details": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12542"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T23:15:41Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-99cp-q7mc-52c4/GHSA-99cp-q7mc-52c4.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-99cp-q7mc-52c4",
-  "modified": "2025-11-10T21:30:35Z",
+  "modified": "2025-11-11T00:30:20Z",
   "published": "2025-11-10T21:30:35Z",
   "aliases": [
     "CVE-2025-12441"
   ],
   "details": "Out of bounds read in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -27,7 +32,7 @@
     "cwe_ids": [
       "CWE-125"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-11-10T20:15:38Z"

advisories/unreviewed/2025/11/GHSA-cm35-q368-98g3/GHSA-cm35-q368-98g3.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cm35-q368-98g3",
+  "modified": "2025-11-11T00:30:21Z",
+  "published": "2025-11-11T00:30:21Z",
+  "aliases": [
+    "CVE-2021-4462"
+  ],
+  "details": "Employee Records System version 1.0 contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload arbitrary files via the uploadID.php endpoint; uploaded files can be executed because the application does not perform proper server-side validation.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4462"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/49596"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sourcecodester.com/php/11393/employee-records-system.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/employees-records-system-arbitrary-file-upload-rce"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T23:15:40Z"
+  }
+}