Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 0a7cff273376 · 2025-11-04T19:45:29.000Z
GHSA-7h4p-27mh-hmrw GHSA-h8gc-pgj2-vjm3 GHSA-4g9r-vxhx-9pgx GHSA-xxj9-f6rv-m3x4 GHSA-9qxr-qj54-h672 GHSA-m4v8-wqvr-p9f7 GHSA-8m2r-x2m2-3wmw GHSA-8m2r-x2m2-3wmw
diff --git a/advisories/github-reviewed/2023/11/GHSA-7h4p-27mh-hmrw/GHSA-7h4p-27mh-hmrw.json b/advisories/github-reviewed/2023/11/GHSA-7h4p-27mh-hmrw/GHSA-7h4p-27mh-hmrw.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7h4p-27mh-hmrw",
-  "modified": "2024-09-20T15:08:16Z",
+  "modified": "2025-11-04T19:43:27Z",
   "published": "2023-11-03T06:36:29Z",
   "aliases": [
     "CVE-2023-41164"
@@ -118,10 +118,18 @@
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
+    },
     {
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20231214-0002"
diff --git a/advisories/github-reviewed/2023/11/GHSA-h8gc-pgj2-vjm3/GHSA-h8gc-pgj2-vjm3.json b/advisories/github-reviewed/2023/11/GHSA-h8gc-pgj2-vjm3/GHSA-h8gc-pgj2-vjm3.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h8gc-pgj2-vjm3",
-  "modified": "2024-11-18T16:26:32Z",
+  "modified": "2025-11-04T19:43:42Z",
   "published": "2023-11-03T06:36:30Z",
   "aliases": [
     "CVE-2023-43665"
@@ -126,6 +126,10 @@
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20231221-0001"
diff --git a/advisories/github-reviewed/2024/02/GHSA-4g9r-vxhx-9pgx/GHSA-4g9r-vxhx-9pgx.json b/advisories/github-reviewed/2024/02/GHSA-4g9r-vxhx-9pgx/GHSA-4g9r-vxhx-9pgx.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4g9r-vxhx-9pgx",
-  "modified": "2025-02-13T19:13:39Z",
+  "modified": "2025-11-04T19:43:57Z",
   "published": "2024-02-19T09:30:50Z",
   "aliases": [
     "CVE-2024-25710"
@@ -52,6 +52,10 @@
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20240307-0010"
     },
+    {
+      "type": "WEB",
+      "url": "http://seclists.org/fulldisclosure/2024/Aug/37"
+    },
     {
       "type": "WEB",
       "url": "http://www.openwall.com/lists/oss-security/2024/02/19/1"
diff --git a/advisories/github-reviewed/2024/02/GHSA-xxj9-f6rv-m3x4/GHSA-xxj9-f6rv-m3x4.json b/advisories/github-reviewed/2024/02/GHSA-xxj9-f6rv-m3x4/GHSA-xxj9-f6rv-m3x4.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xxj9-f6rv-m3x4",
-  "modified": "2024-11-18T16:26:35Z",
+  "modified": "2025-11-04T19:44:12Z",
   "published": "2024-02-07T00:30:25Z",
   "aliases": [
     "CVE-2024-24680"
@@ -126,6 +126,10 @@
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
+    },
     {
       "type": "WEB",
       "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases"
diff --git a/advisories/github-reviewed/2024/04/GHSA-9qxr-qj54-h672/GHSA-9qxr-qj54-h672.json b/advisories/github-reviewed/2024/04/GHSA-9qxr-qj54-h672/GHSA-9qxr-qj54-h672.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9qxr-qj54-h672",
-  "modified": "2024-04-20T00:31:52Z",
+  "modified": "2025-11-04T19:44:42Z",
   "published": "2024-04-04T14:20:54Z",
   "aliases": [
     "CVE-2024-30261"
   ],
   "summary": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",
-  "details": "### Impact\n\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.\n\n### Patches\n\nFixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3.\nFixes has been released in v5.28.4 and v6.11.1.\n\n\n### Workarounds\n\nEnsure that `integrity` cannot be tampered with.\n\n### References\n\nhttps://hackerone.com/reports/2377760\n",
+  "details": "### Impact\n\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.\n\n### Patches\n\nFixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3.\nFixes has been released in v5.28.4 and v6.11.1.\n\n\n### Workarounds\n\nEnsure that `integrity` cannot be tampered with.\n\n### References\n\nhttps://hackerone.com/reports/2377760",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -90,6 +90,10 @@
     {
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20240905-0008"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2024/04/GHSA-m4v8-wqvr-p9f7/GHSA-m4v8-wqvr-p9f7.json b/advisories/github-reviewed/2024/04/GHSA-m4v8-wqvr-p9f7/GHSA-m4v8-wqvr-p9f7.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m4v8-wqvr-p9f7",
-  "modified": "2025-02-13T19:02:14Z",
+  "modified": "2025-11-04T19:44:28Z",
   "published": "2024-04-04T14:20:39Z",
   "aliases": [
     "CVE-2024-30260"
@@ -90,6 +90,10 @@
     {
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20240905-0008"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2025/01/GHSA-8m2r-x2m2-3wmw/GHSA-8m2r-x2m2-3wmw.json b/advisories/github-reviewed/2025/01/GHSA-8m2r-x2m2-3wmw/GHSA-8m2r-x2m2-3wmw.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8m2r-x2m2-3wmw",
+  "modified": "2025-11-04T19:43:57Z",
+  "published": "2025-01-28T15:31:57Z",
+  "withdrawn": "2025-11-04T19:43:57Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document",
+  "details": "Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xr3m-6gq6-22cg. This link is maintained to preserve external references.\n\nOriginal Description\nA vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "pimcore/pimcore"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.4.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 11.5.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11954"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.293905"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.293905"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-04T19:43:57Z",
+    "nvd_published_at": "2025-01-28T14:15:29Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/01/GHSA-8m2r-x2m2-3wmw/GHSA-8m2r-x2m2-3wmw.json b/advisories/unreviewed/2025/01/GHSA-8m2r-x2m2-3wmw/GHSA-8m2r-x2m2-3wmw.json

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-m4v8-wqvr-p9f7",`
`4`		`- "modified": "2025-02-13T19:02:14Z",`
	`4`	`+ "modified": "2025-11-04T19:44:28Z",`
`5`	`5`	`"published": "2024-04-04T14:20:39Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2024-30260"`
`@@ -90,6 +90,10 @@`
`90`	`90`	`{`
`91`	`91`	`"type": "WEB",`
`92`	`92`	`"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E"`
	`93`	`+ },`
	`94`	`+ {`
	`95`	`+ "type": "WEB",`
	`96`	`+ "url": "https://security.netapp.com/advisory/ntap-20240905-0008"`
`93`	`97`	`}`
`94`	`98`	`],`
`95`	`99`	`"database_specific": {`