Publish Advisories

GHSA-39gf-78j2-vwxh
GHSA-53j9-8fm4-3gf5
GHSA-8j49-66vh-8w64
GHSA-95c9-mv7r-2wgh
GHSA-g6q4-chqv-724q
GHSA-hj85-g2fm-mxw9
GHSA-jq9h-gmxw-7j5w
GHSA-jv3w-4h8m-v487
GHSA-qv25-9f5q-rj39
GHSA-rcm6-w3rr-fcw3
GHSA-rh9w-5362-2p58
GHSA-v854-296p-97gp
GHSA-vmhc-4p3p-6gpv
GHSA-x5mr-f43m-7r93
GHSA-xqhw-96qr-hjw7

Author: advisory-database[bot]

advisories/unreviewed/2025/09/GHSA-39gf-78j2-vwxh/GHSA-39gf-78j2-vwxh.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-39gf-78j2-vwxh",
+  "modified": "2025-09-17T09:30:44Z",
+  "published": "2025-09-17T09:30:44Z",
+  "aliases": [
+    "CVE-2025-0419"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. Zirve Nova allows Cross-Site Scripting (XSS).This issue affects Zirve Nova: from 235 through 20250131.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0419"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.usom.gov.tr/bildirim/tr-25-0260"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-17T09:15:30Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-53j9-8fm4-3gf5/GHSA-53j9-8fm4-3gf5.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-53j9-8fm4-3gf5",
+  "modified": "2025-09-17T09:30:45Z",
+  "published": "2025-09-17T09:30:45Z",
+  "aliases": [
+    "CVE-2025-59458"
+  ],
+  "details": "In JetBrains Junie before 252.284.66,\n251.284.66,\n243.284.66,\n252.284.61,\n251.284.61,\n243.284.61,\n252.284.50,\n252.284.54,\n251.284.54,\n251.284.50,\n243.284.54,\n243.284.50 code execution was possible due to improper command validation",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59458"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-17T09:15:32Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-8j49-66vh-8w64/GHSA-8j49-66vh-8w64.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8j49-66vh-8w64",
+  "modified": "2025-09-17T09:30:45Z",
+  "published": "2025-09-17T09:30:45Z",
+  "aliases": [
+    "CVE-2025-59456"
+  ],
+  "details": "In JetBrains TeamCity before 2025.07.2 path traversal was possible during project archive upload",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59456"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-23"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-17T09:15:31Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-95c9-mv7r-2wgh/GHSA-95c9-mv7r-2wgh.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-95c9-mv7r-2wgh",
+  "modified": "2025-09-17T09:30:44Z",
+  "published": "2025-09-17T09:30:44Z",
+  "aliases": [
+    "CVE-2025-9565"
+  ],
+  "details": "The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksy_newsletter_subscribe shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9565"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.9/framework/extensions/newsletter-subscribe/extension.php#L191"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.9/framework/extensions/newsletter-subscribe/helpers.php#L65"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3360000/blocksy-companion/trunk/framework/extensions/newsletter-subscribe/helpers.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wordpress.org/plugins/blocksy-companion"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c28e740e-9337-41b5-a8e7-ca68e41eaed4?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-17T07:15:43Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-g6q4-chqv-724q/GHSA-g6q4-chqv-724q.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g6q4-chqv-724q",
+  "modified": "2025-09-17T09:30:44Z",
+  "published": "2025-09-17T09:30:44Z",
+  "aliases": [
+    "CVE-2025-9242"
+  ],
+  "details": "An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9242"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-17T08:15:33Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-hj85-g2fm-mxw9/GHSA-hj85-g2fm-mxw9.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hj85-g2fm-mxw9",
+  "modified": "2025-09-17T09:30:45Z",
+  "published": "2025-09-17T09:30:45Z",
+  "aliases": [
+    "CVE-2025-59455"
+  ],
+  "details": "In JetBrains TeamCity before 2025.07.2 project isolation bypass was possible due to race condition",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59455"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-17T09:15:31Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-jq9h-gmxw-7j5w/GHSA-jq9h-gmxw-7j5w.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jq9h-gmxw-7j5w",
+  "modified": "2025-09-17T09:30:45Z",
+  "published": "2025-09-17T09:30:45Z",
+  "aliases": [
+    "CVE-2025-59457"
+  ],
+  "details": "In JetBrains TeamCity before 2025.07.2 missing Git URL validation allowed credential leakage on Windows",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59457"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-183"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-17T09:15:32Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-jv3w-4h8m-v487/GHSA-jv3w-4h8m-v487.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jv3w-4h8m-v487",
+  "modified": "2025-09-17T09:30:44Z",
+  "published": "2025-09-17T09:30:44Z",
+  "aliases": [
+    "CVE-2025-9215"
+  ],
+  "details": "The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9215"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/d0n601/CVE-2025-9215"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/storeengine/trunk/addons/csv/ajax/export.php#L47"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3360097/storeengine/trunk/addons/csv/ajax/export.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://ryankozak.com/posts/cve-2025-9215"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07b1dc05-1340-4ea3-9315-3e1ca4a0cb7f?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-17T07:15:42Z"
+  }
+}

advisories/unreviewed/2025/09/GHSA-qv25-9f5q-rj39/GHSA-qv25-9f5q-rj39.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qv25-9f5q-rj39",
+  "modified": "2025-09-17T09:30:44Z",
+  "published": "2025-09-17T09:30:44Z",
+  "aliases": [
+    "CVE-2025-9449"
+  ],
+  "details": "A Use After Free vulnerability affecting the PAR file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 could allow an attacker to execute arbitrary code while opening a specially crafted PAR file.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9449"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-9449"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-09-17T07:15:42Z"
+  }
+}