Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 28d3db6e7f3c · 2025-10-30T17:06:39.000Z
GHSA-27fv-rpgj-4c6m GHSA-27mc-9399-r9mx GHSA-fg8x-q69g-4qp3 GHSA-jxp8-4jw5-5xjc GHSA-xgp7-7qjq-vg47
diff --git a/advisories/github-reviewed/2025/10/GHSA-27fv-rpgj-4c6m/GHSA-27fv-rpgj-4c6m.json b/advisories/github-reviewed/2025/10/GHSA-27fv-rpgj-4c6m/GHSA-27fv-rpgj-4c6m.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-27fv-rpgj-4c6m",
-  "modified": "2025-10-30T15:32:35Z",
+  "modified": "2025-10-30T17:05:23Z",
   "published": "2025-10-30T00:31:03Z",
   "aliases": [
     "CVE-2025-10930"
   ],
-  "details": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0.",
+  "summary": "Drupal Currency allows Cross Site Request Forgery",
+  "details": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery. This issue affects Currency: from 0.0.0 before 3.5.0.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/currency"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.5.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -29,8 +50,8 @@
       "CWE-352"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-30T17:05:23Z",
     "nvd_published_at": "2025-10-30T00:15:34Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/10/GHSA-27mc-9399-r9mx/GHSA-27mc-9399-r9mx.json b/advisories/github-reviewed/2025/10/GHSA-27mc-9399-r9mx/GHSA-27mc-9399-r9mx.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-27mc-9399-r9mx",
-  "modified": "2025-10-30T15:32:35Z",
+  "modified": "2025-10-30T17:05:06Z",
   "published": "2025-10-30T00:31:03Z",
   "aliases": [
     "CVE-2025-10928"
   ],
-  "details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5.",
+  "summary": "Drupal Access code allows Brute Force Attempts",
+  "details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force. This issue affects Access code: from 0.0.0 before 2.0.5.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/access_code"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -29,8 +50,8 @@
       "CWE-307"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-30T17:05:05Z",
     "nvd_published_at": "2025-10-30T00:15:34Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/10/GHSA-fg8x-q69g-4qp3/GHSA-fg8x-q69g-4qp3.json b/advisories/github-reviewed/2025/10/GHSA-fg8x-q69g-4qp3/GHSA-fg8x-q69g-4qp3.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fg8x-q69g-4qp3",
-  "modified": "2025-10-30T15:32:35Z",
+  "modified": "2025-10-30T17:05:15Z",
   "published": "2025-10-30T00:31:03Z",
   "aliases": [
     "CVE-2025-10929"
   ],
-  "details": "Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2.",
+  "summary": "Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables",
+  "details": "Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables. This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/reverse_proxy_header"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -29,8 +50,8 @@
       "CWE-1288"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-30T17:05:15Z",
     "nvd_published_at": "2025-10-30T00:15:34Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/10/GHSA-jxp8-4jw5-5xjc/GHSA-jxp8-4jw5-5xjc.json b/advisories/github-reviewed/2025/10/GHSA-jxp8-4jw5-5xjc/GHSA-jxp8-4jw5-5xjc.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jxp8-4jw5-5xjc",
-  "modified": "2025-10-30T15:32:35Z",
+  "modified": "2025-10-30T17:05:32Z",
   "published": "2025-10-30T00:31:03Z",
   "aliases": [
     "CVE-2025-10931"
   ],
-  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.",
+  "summary": "Drupal Umami Analytics allows Cross-Site Scripting (XSS)",
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS). This issue affects Umami Analytics: from 0.0.0 before 1.0.1.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/umami_analytics"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.0.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -29,8 +50,8 @@
       "CWE-79"
     ],
     "severity": "LOW",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-30T17:05:32Z",
     "nvd_published_at": "2025-10-30T00:15:34Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/10/GHSA-xgp7-7qjq-vg47/GHSA-xgp7-7qjq-vg47.json b/advisories/github-reviewed/2025/10/GHSA-xgp7-7qjq-vg47/GHSA-xgp7-7qjq-vg47.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xgp7-7qjq-vg47",
+  "modified": "2025-10-30T17:04:26Z",
+  "published": "2025-10-30T17:04:26Z",
+  "aliases": [
+    "CVE-2025-62726"
+  ],
+  "summary": "n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook",
+  "details": "### Impact\nA remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution.\n\nThis allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows.\n\nAll users with workflows that utilize the Git Node to clone untrusted repositories are affected.\n\n### Patches\nThe vulnerability was addressed in v1.113.0 (n8n-io/n8n#19559), which introduces a new environment variable: `N8N_GIT_NODE_DISABLE_BARE_REPOS`. For self-hosted deployments, it is strongly recommended to set this variable to `true` to mitigate the risk of executing malicious Git hooks.\n\n### Workarounds\nTo reduce risk prior to upgrading:\n\n- Avoid cloning or interacting with untrusted repositories using the Git Node.\n- Disable or restrict the use of the Git Node in workflows where repository content cannot be fully trusted.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "n8n"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.113.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/pull/19559"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/n8n-io/n8n"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-829"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-30T17:04:26Z",
+    "nvd_published_at": null
+  }
+}
