Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 5a9d0de4de42 · 2025-11-26T22:02:57.000Z
GHSA-8wf8-frjg-xv74 GHSA-93vm-mqpw-8wh3 GHSA-vqc7-7fj4-3fm3 GHSA-xj9j-gjxg-7jvq
diff --git a/advisories/github-reviewed/2025/11/GHSA-8wf8-frjg-xv74/GHSA-8wf8-frjg-xv74.json b/advisories/github-reviewed/2025/11/GHSA-8wf8-frjg-xv74/GHSA-8wf8-frjg-xv74.json
@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8wf8-frjg-xv74",
-  "modified": "2025-11-17T06:30:15Z",
+  "modified": "2025-11-26T22:02:07Z",
   "published": "2025-11-17T06:30:15Z",
   "aliases": [
     "CVE-2025-13265"
   ],
+  "summary": "lsFusion Server is vulnerable to Path Traversal through its unpackFile function",
   "details": "A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. This manipulation causes path traversal. It is possible to initiate the attack remotely.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "lsfusion.platform:server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "6.0-beta2"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -27,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/lsfusion/platform/issues/1545"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/lsfusion/platformx"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/?ctiid.332600"
@@ -45,8 +70,8 @@
       "CWE-22"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-26T22:02:07Z",
     "nvd_published_at": "2025-11-17T06:15:43Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/11/GHSA-93vm-mqpw-8wh3/GHSA-93vm-mqpw-8wh3.json b/advisories/github-reviewed/2025/11/GHSA-93vm-mqpw-8wh3/GHSA-93vm-mqpw-8wh3.json
@@ -1,56 +1,81 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-93vm-mqpw-8wh3",
-  "modified": "2025-11-26T00:30:25Z",
+  "modified": "2025-11-26T22:01:36Z",
   "published": "2025-11-25T18:32:22Z",
   "aliases": [
     "CVE-2025-13467"
   ],
+  "summary": "Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization",
   "details": "A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-ldap-federation"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.4.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13467"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:22088"
+      "url": "https://github.com/keycloak/keycloak/issues/44478"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:22089"
+      "url": "https://github.com/keycloak/keycloak/commit/754c070cf8ca187dcc71f0f72ff3130ff2195328"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:22090"
+      "url": "https://access.redhat.com/errata/RHSA-2025:22088"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/errata/RHSA-2025:22091"
+      "url": "https://access.redhat.com/security/cve/CVE-2025-13467"
     },
     {
       "type": "WEB",
-      "url": "https://access.redhat.com/security/cve/CVE-2025-13467"
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     },
     {
       "type": "WEB",
-      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416038"
+      "url": "https://github.com/keycloak/keycloak/releases/tag/26.4.6"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-502"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-26T22:01:36Z",
     "nvd_published_at": "2025-11-25T16:16:06Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/11/GHSA-vqc7-7fj4-3fm3/GHSA-vqc7-7fj4-3fm3.json b/advisories/github-reviewed/2025/11/GHSA-vqc7-7fj4-3fm3/GHSA-vqc7-7fj4-3fm3.json
@@ -1,30 +1,55 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vqc7-7fj4-3fm3",
-  "modified": "2025-11-25T18:32:22Z",
+  "modified": "2025-11-26T22:00:50Z",
   "published": "2025-11-25T18:32:22Z",
   "aliases": [
     "CVE-2025-64049"
   ],
+  "summary": "REDAXO CMS is vulnerable to XSS through its module management component",
   "details": "A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "redaxo/source"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.20.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64049"
     },
     {
       "type": "WEB",
-      "url": "https://drive.google.com/drive/folders/1SpwL548ZBRYU_uL8W7Riv7VHshr2UN0R?usp=sharing"
+      "url": "https://github.com/redaxo/redaxo/commit/58929062312cf03e344ab04067a365e6b6ee66aa"
     },
     {
       "type": "WEB",
+      "url": "https://drive.google.com/drive/folders/1SpwL548ZBRYU_uL8W7Riv7VHshr2UN0R?usp=sharing"
+    },
+    {
+      "type": "PACKAGE",
       "url": "https://github.com/redaxo/redaxo"
     },
     {
@@ -37,8 +62,8 @@
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-26T22:00:50Z",
     "nvd_published_at": "2025-11-25T16:16:07Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/11/GHSA-xj9j-gjxg-7jvq/GHSA-xj9j-gjxg-7jvq.json b/advisories/github-reviewed/2025/11/GHSA-xj9j-gjxg-7jvq/GHSA-xj9j-gjxg-7jvq.json
@@ -1,30 +1,55 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xj9j-gjxg-7jvq",
-  "modified": "2025-11-25T18:32:22Z",
+  "modified": "2025-11-26T22:00:29Z",
   "published": "2025-11-25T18:32:22Z",
   "aliases": [
     "CVE-2025-64050"
   ],
+  "summary": "REDAXO CMS is vulnerable to RCE attack through its template management component",
   "details": "A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages using the compromised template.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "redaxo/source"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.20.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64050"
     },
     {
       "type": "WEB",
-      "url": "https://drive.google.com/drive/folders/1Via4r4wn5zCcBllWmHpxYweCPgcbN0bz?usp=sharing"
+      "url": "https://github.com/redaxo/redaxo/pull/6372/commits/bc96462e20f7e651b2e6c3bb59d141d5cb09af0f"
     },
     {
       "type": "WEB",
+      "url": "https://drive.google.com/drive/folders/1Via4r4wn5zCcBllWmHpxYweCPgcbN0bz?usp=sharing"
+    },
+    {
+      "type": "PACKAGE",
       "url": "https://github.com/redaxo/redaxo"
     },
     {
@@ -37,8 +62,8 @@
       "CWE-94"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-26T22:00:29Z",
     "nvd_published_at": "2025-11-25T16:16:07Z"
   }
 }
