Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 155ffe6cf089 · 2025-11-10T03:32:06.000Z
GHSA-856v-8qm2-9wjv GHSA-qc8j-wvjf-7jfj GHSA-3wqv-qpc6-2469 GHSA-8849-h57v-c6xm GHSA-8fjh-p7j5-79fg GHSA-c9jg-5vh8-ff2v GHSA-cfjq-p9cp-c745 GHSA-hm5m-9phw-v9hq GHSA-jh7m-5fwg-gpmf GHSA-mfg3-2r9j-5hv9 GHSA-qf35-h73j-5vfh
diff --git a/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.json b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-856v-8qm2-9wjv",
-  "modified": "2025-11-07T00:30:27Z",
+  "modified": "2025-11-10T03:30:15Z",
   "published": "2025-08-07T21:31:08Z",
   "aliases": [
     "CVE-2025-7195"
@@ -48,6 +48,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:19335"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19958"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19961"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-7195"
diff --git a/advisories/unreviewed/2025/09/GHSA-qc8j-wvjf-7jfj/GHSA-qc8j-wvjf-7jfj.json b/advisories/unreviewed/2025/09/GHSA-qc8j-wvjf-7jfj/GHSA-qc8j-wvjf-7jfj.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qc8j-wvjf-7jfj",
-  "modified": "2025-11-08T00:31:00Z",
+  "modified": "2025-11-10T03:30:15Z",
   "published": "2025-09-23T18:30:24Z",
   "aliases": [
     "CVE-2025-9900"
@@ -47,6 +47,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-9900"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19947"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:19906"
diff --git a/advisories/unreviewed/2025/11/GHSA-3wqv-qpc6-2469/GHSA-3wqv-qpc6-2469.json b/advisories/unreviewed/2025/11/GHSA-3wqv-qpc6-2469/GHSA-3wqv-qpc6-2469.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3wqv-qpc6-2469",
+  "modified": "2025-11-10T03:30:15Z",
+  "published": "2025-11-10T03:30:15Z",
+  "aliases": [
+    "CVE-2025-12922"
+  ],
+  "details": "A vulnerability was found in OpenClinica Community Edition up to 3.12.2/3.13. This affects an unknown part of the file /ImportCRFData?action=confirm of the component CRF Data Import. Performing manipulation of the argument xml_file results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12922"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-rce.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-rce.md#raw-requests-abridged"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.331642"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.331642"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.680873"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T01:15:36Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-8849-h57v-c6xm/GHSA-8849-h57v-c6xm.json b/advisories/unreviewed/2025/11/GHSA-8849-h57v-c6xm/GHSA-8849-h57v-c6xm.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8849-h57v-c6xm",
+  "modified": "2025-11-10T03:30:16Z",
+  "published": "2025-11-10T03:30:16Z",
+  "aliases": [
+    "CVE-2025-12865"
+  ],
+  "details": "U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12865"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10489-a5a6d-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10488-2df22-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T03:15:42Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-8fjh-p7j5-79fg/GHSA-8fjh-p7j5-79fg.json b/advisories/unreviewed/2025/11/GHSA-8fjh-p7j5-79fg/GHSA-8fjh-p7j5-79fg.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8fjh-p7j5-79fg",
+  "modified": "2025-11-10T03:30:15Z",
+  "published": "2025-11-10T03:30:15Z",
+  "aliases": [
+    "CVE-2025-12923"
+  ],
+  "details": "A vulnerability was determined in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function resourceDownload of the file /dev-api/common/download. Executing manipulation of the argument path can lead to path traversal. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12923"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Huu1j/CVE/blob/main/chestnutcms%20Arbitrary%20File%20Read.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.331643"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.331643"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.681032"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T01:15:37Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-c9jg-5vh8-ff2v/GHSA-c9jg-5vh8-ff2v.json b/advisories/unreviewed/2025/11/GHSA-c9jg-5vh8-ff2v/GHSA-c9jg-5vh8-ff2v.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c9jg-5vh8-ff2v",
+  "modified": "2025-11-10T03:30:16Z",
+  "published": "2025-11-10T03:30:15Z",
+  "aliases": [
+    "CVE-2025-12925"
+  ],
+  "details": "A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. The manipulation results in missing authorization. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12925"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rymcu/forest/issues/199"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.331645"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.331645"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.681080"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T02:15:34Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-cfjq-p9cp-c745/GHSA-cfjq-p9cp-c745.json b/advisories/unreviewed/2025/11/GHSA-cfjq-p9cp-c745/GHSA-cfjq-p9cp-c745.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cfjq-p9cp-c745",
+  "modified": "2025-11-10T03:30:16Z",
+  "published": "2025-11-10T03:30:16Z",
+  "aliases": [
+    "CVE-2025-12926"
+  ],
+  "details": "A weakness has been identified in SourceCodester Farm Management System 1.0. The affected element is an unknown function of the file /review.php. This manipulation of the argument pid causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12926"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/R178/cve/issues/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.331646"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.331646"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.681506"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sourcecodester.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T03:15:42Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-hm5m-9phw-v9hq/GHSA-hm5m-9phw-v9hq.json b/advisories/unreviewed/2025/11/GHSA-hm5m-9phw-v9hq/GHSA-hm5m-9phw-v9hq.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hm5m-9phw-v9hq",
+  "modified": "2025-11-10T03:30:16Z",
+  "published": "2025-11-10T03:30:16Z",
+  "aliases": [
+    "CVE-2025-12866"
+  ],
+  "details": "EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12866"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10490-2534b-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-640"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-10T03:15:42Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-jh7m-5fwg-gpmf/GHSA-jh7m-5fwg-gpmf.json b/advisories/unreviewed/2025/11/GHSA-jh7m-5fwg-gpmf/GHSA-jh7m-5fwg-gpmf.json
diff --git a/advisories/unreviewed/2025/11/GHSA-mfg3-2r9j-5hv9/GHSA-mfg3-2r9j-5hv9.json b/advisories/unreviewed/2025/11/GHSA-mfg3-2r9j-5hv9/GHSA-mfg3-2r9j-5hv9.json
diff --git a/advisories/unreviewed/2025/11/GHSA-qf35-h73j-5vfh/GHSA-qf35-h73j-5vfh.json b/advisories/unreviewed/2025/11/GHSA-qf35-h73j-5vfh/GHSA-qf35-h73j-5vfh.json
