Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2025/11/GHSA-6pmj-xjxp-p8g9/GHSA-6pmj-xjxp-p8g9.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6pmj-xjxp-p8g9",
-  "modified": "2025-11-19T14:24:56Z",
+  "modified": "2025-12-05T18:31:51Z",
   "published": "2025-11-18T18:48:01Z",
   "aliases": [
     "CVE-2025-65093"
@@ -28,11 +28,14 @@
               "introduced": "0"
             },
             {
-              "last_affected": "25.10.0"
+              "fixed": "25.11.0"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 25.10.0"
+      }
     }
   ],
   "references": [

advisories/unreviewed/2024/01/GHSA-v432-65m6-c4x6/GHSA-v432-65m6-c4x6.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v432-65m6-c4x6",
-  "modified": "2024-01-04T15:30:22Z",
+  "modified": "2025-12-05T18:31:06Z",
   "published": "2024-01-04T15:30:22Z",
   "aliases": [
     "CVE-2023-49666"
   ],
-  "details": "Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'custmer_details' parameter of the submit_material_list.php resource does not validate the characters received and they are sent unfiltered to the database.\n\n",
+  "details": "Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'custmer_details' parameter of the submit_material_list.php resource does not validate the characters received and they are sent unfiltered to the database.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/unreviewed/2024/03/GHSA-f357-4jg5-3c72/GHSA-f357-4jg5-3c72.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f357-4jg5-3c72",
-  "modified": "2024-03-28T09:31:12Z",
+  "modified": "2025-12-05T18:31:07Z",
   "published": "2024-03-28T09:31:12Z",
   "aliases": [
     "CVE-2024-25599"
   ],
-  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Castos Seriously Simple Podcasting allows Reflected XSS.This issue affects Seriously Simple Podcasting: from n/a through 3.0.2.\n\n",
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Castos Seriously Simple Podcasting allows Reflected XSS.This issue affects Seriously Simple Podcasting: from n/a through 3.0.2.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/unreviewed/2025/03/GHSA-8h4g-52x5-5r4v/GHSA-8h4g-52x5-5r4v.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8h4g-52x5-5r4v",
-  "modified": "2025-03-26T12:30:35Z",
+  "modified": "2025-12-05T18:31:07Z",
   "published": "2025-03-26T12:30:35Z",
   "aliases": [
     "CVE-2025-1913"
@@ -19,6 +19,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1913"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/S0haib518-KSA/CVE-2025-1913-PoC"
+    },
     {
       "type": "WEB",
       "url": "https://plugins.trac.wordpress.org/browser/product-import-export-for-woo/trunk/admin/modules/import/classes/class-import-ajax.php"

advisories/unreviewed/2025/12/GHSA-2hhf-9f74-3jqg/GHSA-2hhf-9f74-3jqg.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2hhf-9f74-3jqg",
+  "modified": "2025-12-05T18:31:11Z",
+  "published": "2025-12-05T18:31:11Z",
+  "aliases": [
+    "CVE-2025-64056"
+  ],
+  "details": "File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64056"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64056.md"
+    },
+    {
+      "type": "WEB",
+      "url": "http://fanvil.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-05T16:15:50Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-399h-rrqc-rpgv/GHSA-399h-rrqc-rpgv.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-399h-rrqc-rpgv",
-  "modified": "2025-12-02T18:30:30Z",
+  "modified": "2025-12-05T18:31:07Z",
   "published": "2025-12-01T18:30:38Z",
   "aliases": [
     "CVE-2025-13836"
@@ -27,6 +27,10 @@
       "type": "WEB",
       "url": "https://github.com/python/cpython/pull/119454"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155"

advisories/unreviewed/2025/12/GHSA-3ch6-fjmw-mj86/GHSA-3ch6-fjmw-mj86.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3ch6-fjmw-mj86",
+  "modified": "2025-12-05T18:31:10Z",
+  "published": "2025-12-05T18:31:10Z",
+  "aliases": [
+    "CVE-2025-14089"
+  ],
+  "details": "A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function update_account of the file /api/admin/update_account/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14089"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/caigo8/CVE-md/blob/main/BoxwoodERP/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.334479"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.334479"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.696049"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-05T16:15:48Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-3j3g-3pw9-9vcc/GHSA-3j3g-3pw9-9vcc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3j3g-3pw9-9vcc",
-  "modified": "2025-12-05T12:30:13Z",
+  "modified": "2025-12-05T18:31:09Z",
   "published": "2025-12-05T12:30:13Z",
   "aliases": [
     "CVE-2025-66200"
   ],
   "details": "mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.\n\nThis issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.\n\nUsers are recommended to upgrade to version 2.4.66, which fixes the issue.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-288"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-05T11:15:52Z"

advisories/unreviewed/2025/12/GHSA-479c-6w78-7qfg/GHSA-479c-6w78-7qfg.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-479c-6w78-7qfg",
+  "modified": "2025-12-05T18:31:11Z",
+  "published": "2025-12-05T18:31:11Z",
+  "aliases": [
+    "CVE-2025-65879"
+  ],
+  "details": "Warehouse Management System 1.2 contains an authenticated arbitrary file deletion vulnerability. The /goods/deleteGoods endpoint accepts a user-controlled goodsimg parameter, which is directly concatenated with the server's UPLOAD_PATH and passed to File.delete() without validation. A remote authenticated attacker can delete arbitrary files on the server by supplying directory traversal payloads.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65879"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/W000i/vuln/issues/3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-05T17:16:04Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-4m29-g52g-c6qc/GHSA-4m29-g52g-c6qc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4m29-g52g-c6qc",
-  "modified": "2025-12-05T15:30:27Z",
+  "modified": "2025-12-05T18:31:10Z",
   "published": "2025-12-05T15:30:27Z",
   "aliases": [
     "CVE-2025-58098"
   ],
   "details": "Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd=\"...\" directives.\n\nThis issue affects Apache HTTP Server before 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.66, which fixes the issue.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -27,7 +32,7 @@
     "cwe_ids": [
       "CWE-201"
     ],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-05T14:15:49Z"