Publish Advisories

GHSA-2hg8-9339-xpwg
GHSA-3679-62vm-qq5r
GHSA-5j73-c8q2-cfqp
GHSA-7954-xqv5-fh2r
GHSA-7xq4-mwcp-q8fx
GHSA-f85h-c7m6-cfpm
GHSA-hq57-c72x-4774
GHSA-jhx5-4vr4-f327
GHSA-m4g6-6v9m-6q6x
GHSA-mjv5-8wf2-6rhp
GHSA-p8g3-7r42-x5c9

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-2hg8-9339-xpwg/GHSA-2hg8-9339-xpwg.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2hg8-9339-xpwg",
+  "modified": "2025-12-26T06:30:27Z",
+  "published": "2025-12-26T06:30:27Z",
+  "aliases": [
+    "CVE-2025-15099"
+  ],
+  "details": "A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15099"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/simstudioai/sim/pull/2343"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/simstudioai/sim/commit/e359dc2946b12ed5e45a0ec9c95ecf91bd18502a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338430"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338430"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.710255"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T04:15:40Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-3679-62vm-qq5r/GHSA-3679-62vm-qq5r.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3679-62vm-qq5r",
+  "modified": "2025-12-26T06:30:27Z",
+  "published": "2025-12-26T06:30:27Z",
+  "aliases": [
+    "CVE-2025-52598"
+  ],
+  "details": "Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has found a flaw that camera's client service does not perform certificate validation. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52598"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T05:16:07Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-5j73-c8q2-cfqp/GHSA-5j73-c8q2-cfqp.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5j73-c8q2-cfqp",
+  "modified": "2025-12-26T06:30:27Z",
+  "published": "2025-12-26T06:30:27Z",
+  "aliases": [
+    "CVE-2025-52600"
+  ],
+  "details": "Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in camera video analytics that Improper input validation. This vulnerability could allow an attacker to execute specific commands on the user's host PC.The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52600"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T05:16:11Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-7954-xqv5-fh2r/GHSA-7954-xqv5-fh2r.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7954-xqv5-fh2r",
+  "modified": "2025-12-26T06:30:27Z",
+  "published": "2025-12-26T06:30:27Z",
+  "aliases": [
+    "CVE-2025-52601"
+  ],
+  "details": "Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in Device Manager that a hardcoded encryption key for sensitive information. An attacker can use key to decrypt sensitive information. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52601"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-321"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T05:16:11Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-7xq4-mwcp-q8fx/GHSA-7xq4-mwcp-q8fx.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7xq4-mwcp-q8fx",
+  "modified": "2025-12-26T06:30:27Z",
+  "published": "2025-12-26T06:30:27Z",
+  "aliases": [
+    "CVE-2025-68945"
+  ],
+  "details": "In Gitea before 1.21.2, an anonymous user can visit a private user's project.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68945"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/pull/28423"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.gitea.com/release-of-1.21.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-359"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T04:15:41Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-f85h-c7m6-cfpm/GHSA-f85h-c7m6-cfpm.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f85h-c7m6-cfpm",
+  "modified": "2025-12-26T06:30:27Z",
+  "published": "2025-12-26T06:30:27Z",
+  "aliases": [
+    "CVE-2025-68944"
+  ],
+  "details": "Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68944"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/pull/31967"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.gitea.com/release-of-1.22.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-441"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T04:15:41Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-hq57-c72x-4774/GHSA-hq57-c72x-4774.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hq57-c72x-4774",
+  "modified": "2025-12-26T06:30:27Z",
+  "published": "2025-12-26T06:30:27Z",
+  "aliases": [
+    "CVE-2025-68946"
+  ],
+  "details": "In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68946"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/pull/25960"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.gitea.com/release-of-1.20.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/releases/tag/v1.20.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T05:16:11Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-jhx5-4vr4-f327/GHSA-jhx5-4vr4-f327.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jhx5-4vr4-f327",
+  "modified": "2025-12-26T06:30:27Z",
+  "published": "2025-12-26T06:30:27Z",
+  "aliases": [
+    "CVE-2025-68943"
+  ],
+  "details": "Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68943"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/pull/29430"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.8"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-497"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-26T04:15:41Z"
+  }
+}