Skip to content

Commit 38cad68

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-m4g9-5mg6-gfr3 GHSA-rwvp-r38j-9rgg GHSA-rwvp-r38j-9rgg
1 parent 9728a60 commit 38cad68

File tree

3 files changed

+95
-41
lines changed

3 files changed

+95
-41
lines changed

advisories/unreviewed/2025/10/GHSA-m4g9-5mg6-gfr3/GHSA-m4g9-5mg6-gfr3.json renamed to advisories/github-reviewed/2025/10/GHSA-m4g9-5mg6-gfr3/GHSA-m4g9-5mg6-gfr3.json

Lines changed: 34 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,53 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-m4g9-5mg6-gfr3",
4-
"modified": "2025-10-10T15:31:28Z",
4+
"modified": "2025-10-11T00:33:05Z",
55
"published": "2025-10-10T15:31:28Z",
66
"aliases": [
77
"CVE-2025-62237"
88
],
9+
"summary": "Liferay Portal Commerce is vulnerable to XSS through account \"name\" field",
910
"details": "Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V4",
13-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "com.liferay.commerce:com.liferay.commerce.order.web"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "5.0.29"
29+
},
30+
{
31+
"fixed": "5.0.101"
32+
}
33+
]
34+
}
35+
]
1436
}
1537
],
16-
"affected": [],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62237"
2142
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/liferay/liferay-portal/commit/e6d49eda196676aa3fecb26f6a8ba100602d0c36"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/liferay/com-liferay-commerce"
50+
},
2251
{
2352
"type": "WEB",
2453
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62237"
@@ -29,8 +58,8 @@
2958
"CWE-79"
3059
],
3160
"severity": "MODERATE",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2025-10-11T00:33:05Z",
3463
"nvd_published_at": "2025-10-10T13:15:48Z"
3564
}
3665
}

advisories/github-reviewed/2025/10/GHSA-rwvp-r38j-9rgg/GHSA-rwvp-r38j-9rgg.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-rwvp-r38j-9rgg",
4+
"modified": "2025-10-11T00:32:44Z",
5+
"published": "2025-10-10T12:30:57Z",
6+
"aliases": [
7+
"CVE-2025-11579"
8+
],
9+
"summary": "rardecode: DoS risk due to unrestricted RAR dictionary sizes",
10+
"details": "rardecode versions <= 2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/nwaples/rardecode/v2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.2.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "ADVISORY",
41+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11579"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/nwaples/rardecode"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-789"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2025-10-11T00:32:44Z",
59+
"nvd_published_at": "2025-10-10T12:15:37Z"
60+
}
61+
}

advisories/unreviewed/2025/10/GHSA-rwvp-r38j-9rgg/GHSA-rwvp-r38j-9rgg.json

Lines changed: 0 additions & 36 deletions
This file was deleted.

0 commit comments

Comments
 (0)