Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 2394e0f3eca3 · 2025-10-05T03:31:42.000Z
GHSA-23xc-wwgh-93wr GHSA-36wg-34jh-gmgv GHSA-g42p-2jqv-j24r GHSA-mhm8-9xx6-hwgw GHSA-vxpx-mqx4-f9h3 GHSA-ww92-642m-ccgq
diff --git a/advisories/unreviewed/2025/10/GHSA-23xc-wwgh-93wr/GHSA-23xc-wwgh-93wr.json b/advisories/unreviewed/2025/10/GHSA-23xc-wwgh-93wr/GHSA-23xc-wwgh-93wr.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-23xc-wwgh-93wr",
+  "modified": "2025-10-05T03:30:19Z",
+  "published": "2025-10-05T03:30:19Z",
+  "aliases": [
+    "CVE-2025-11276"
+  ],
+  "details": "A security flaw has been discovered in Rebuild up to 4.1.3. Affected by this issue is some unknown functionality of the component Comment/Guestbook. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.1.4 can resolve this issue. It is suggested to upgrade the affected component. According to the researcher the vendor has confirmed the flaw and fix in a private issue response.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11276"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitee.com/getrebuild/rebuild/releases/tag/4.1.4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.327010"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.327010"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.658910"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-05T02:15:35Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-36wg-34jh-gmgv/GHSA-36wg-34jh-gmgv.json b/advisories/unreviewed/2025/10/GHSA-36wg-34jh-gmgv/GHSA-36wg-34jh-gmgv.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-36wg-34jh-gmgv",
+  "modified": "2025-10-05T03:30:20Z",
+  "published": "2025-10-05T03:30:20Z",
+  "aliases": [
+    "CVE-2025-11277"
+  ],
+  "details": "A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11277"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/assimp/assimp/issues/6358"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/user-attachments/files/22422643/poc.zip"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.327011"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.327011"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.658912"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-05T02:15:37Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-g42p-2jqv-j24r/GHSA-g42p-2jqv-j24r.json b/advisories/unreviewed/2025/10/GHSA-g42p-2jqv-j24r/GHSA-g42p-2jqv-j24r.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g42p-2jqv-j24r",
+  "modified": "2025-10-05T03:30:20Z",
+  "published": "2025-10-05T03:30:20Z",
+  "aliases": [
+    "CVE-2025-11278"
+  ],
+  "details": "A security vulnerability has been detected in AllStarLink Supermon up to 6.2. This vulnerability affects unknown code of the component AllMon2. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11278"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.327012"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.327012"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.659016"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-05T03:15:39Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-mhm8-9xx6-hwgw/GHSA-mhm8-9xx6-hwgw.json b/advisories/unreviewed/2025/10/GHSA-mhm8-9xx6-hwgw/GHSA-mhm8-9xx6-hwgw.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mhm8-9xx6-hwgw",
+  "modified": "2025-10-05T03:30:20Z",
+  "published": "2025-10-05T03:30:20Z",
+  "aliases": [
+    "CVE-2025-11279"
+  ],
+  "details": "A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11279"
+    },
+    {
+      "type": "WEB",
+      "url": "https://drive.google.com/file/d/1Lw9_KYblnhg7FQU70G0SgH_VyYRUD-rX/view?usp=sharing"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.327013"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.327013"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.659422"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-05T03:15:40Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-vxpx-mqx4-f9h3/GHSA-vxpx-mqx4-f9h3.json b/advisories/unreviewed/2025/10/GHSA-vxpx-mqx4-f9h3/GHSA-vxpx-mqx4-f9h3.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vxpx-mqx4-f9h3",
+  "modified": "2025-10-05T03:30:19Z",
+  "published": "2025-10-05T03:30:19Z",
+  "aliases": [
+    "CVE-2025-11275"
+  ],
+  "details": "A vulnerability was identified in Open Asset Import Library Assimp 6.0.2. Affected by this vulnerability is the function ODDLParser::getNextSeparator in the library assimp/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11275"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/assimp/assimp/issues/6357"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/user-attachments/files/22417682/poc.zip"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.327009"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.327009"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.658675"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-05T01:15:35Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-ww92-642m-ccgq/GHSA-ww92-642m-ccgq.json b/advisories/unreviewed/2025/10/GHSA-ww92-642m-ccgq/GHSA-ww92-642m-ccgq.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ww92-642m-ccgq",
+  "modified": "2025-10-05T03:30:19Z",
+  "published": "2025-10-05T03:30:19Z",
+  "aliases": [
+    "CVE-2025-11274"
+  ],
+  "details": "A vulnerability was determined in Open Asset Import Library Assimp 6.0.2. Affected is the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocation of resources. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11274"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/assimp/assimp/issues/6356"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/user-attachments/files/22407575/poc.zip"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.327008"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.327008"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.658075"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-05T01:15:35Z"
+  }
+}
