Publish Advisories

GHSA-2rmp-qgp4-wg66
GHSA-f46x-7cm8-vxx8
GHSA-f985-hh3h-wcqc

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-2rmp-qgp4-wg66/GHSA-2rmp-qgp4-wg66.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2rmp-qgp4-wg66",
+  "modified": "2025-11-15T21:30:12Z",
+  "published": "2025-11-15T21:30:12Z",
+  "aliases": [
+    "CVE-2025-13209"
+  ],
+  "details": "A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\\server\\c-flow\\src\\main\\java\\com\\cloudweb\\oa\\controller\\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13209"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/bkglfpp/CVE-md/blob/main/%E4%BA%91%E7%BD%91%E5%8D%8F%E5%90%8C%E5%8A%9E%E5%85%AC%E7%B3%BB%E7%BB%9F/XXE.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.332528"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.332528"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.685626"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-610"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-15T19:15:43Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-f46x-7cm8-vxx8/GHSA-f46x-7cm8-vxx8.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f46x-7cm8-vxx8",
+  "modified": "2025-11-15T21:30:12Z",
+  "published": "2025-11-15T21:30:12Z",
+  "aliases": [
+    "CVE-2025-13210"
+  ],
+  "details": "A security vulnerability has been detected in itsourcecode Inventory Management System 1.0. This impacts an unknown function of the file /admin/products/index.php?view=add. Such manipulation of the argument PROMODEL leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13210"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/yihaofuweng/cve/issues/56"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.332529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.332529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.685702"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-15T19:15:43Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-f985-hh3h-wcqc/GHSA-f985-hh3h-wcqc.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f985-hh3h-wcqc",
+  "modified": "2025-11-15T21:30:12Z",
+  "published": "2025-11-15T21:30:12Z",
+  "aliases": [
+    "CVE-2025-13221"
+  ],
+  "details": "A weakness has been identified in Intelbras UnniTI 24.07.11. The affected element is an unknown function of the file /xml/sistema/usuarios.xml. Executing manipulation of the argument Usuario/Senha can lead to unprotected storage of credentials. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13221"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.332537"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.332537"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.685825"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.notion.so/eldruin/Intelbras-UnniTI-Plaintext-Admin-Credentials-Disclosure-29c27474cccb8008b2d7ea60affdf86e?source=copy_link"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-15T20:15:42Z"
+  }
+}