Publish Advisories

GHSA-3xw3-q4cq-8785
GHSA-5ph2-8ccr-vhmp
GHSA-c7x8-7w72-4vv4

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-3xw3-q4cq-8785/GHSA-3xw3-q4cq-8785.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3xw3-q4cq-8785",
+  "modified": "2025-10-19T09:30:24Z",
+  "published": "2025-10-19T09:30:24Z",
+  "aliases": [
+    "CVE-2025-11938"
+  ],
+  "details": "A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11938"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.329014"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.329014"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.671083"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-19T08:15:32Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-5ph2-8ccr-vhmp/GHSA-5ph2-8ccr-vhmp.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5ph2-8ccr-vhmp",
+  "modified": "2025-10-19T09:30:24Z",
+  "published": "2025-10-19T09:30:24Z",
+  "aliases": [
+    "CVE-2025-11940"
+  ],
+  "details": "A security vulnerability has been detected in LibreWolf up to 143.0.4-1 on Windows. This affects an unknown function of the file assets/setup.nsi of the component Installer. Such manipulation leads to uncontrolled search path. The attack must be carried out locally. Attacks of this nature are highly complex. The exploitability is reported as difficult. Upgrading to version 144.0-1 mitigates this issue. The name of the patch is dd10e31dd873e9cb309fad8aed921d45bf905a55. It is suggested to upgrade the affected component.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11940"
+    },
+    {
+      "type": "WEB",
+      "url": "https://codeberg.org/librewolf/bsys6/commit/dd10e31dd873e9cb309fad8aed921d45bf905a55"
+    },
+    {
+      "type": "WEB",
+      "url": "https://codeberg.org/librewolf/bsys6/releases/tag/144.0-1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Cyber-Wo0dy/report/blob/main/librewolf/143.0.4-1/librewolf_installer_exe_hijacking.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.329019"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.329019"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.671575"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-426"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-19T09:15:32Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-c7x8-7w72-4vv4/GHSA-c7x8-7w72-4vv4.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c7x8-7w72-4vv4",
+  "modified": "2025-10-19T09:30:24Z",
+  "published": "2025-10-19T09:30:24Z",
+  "aliases": [
+    "CVE-2025-11939"
+  ],
+  "details": "A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Backup/RestoreJob.php of the component Backup Restore Handler. Executing manipulation of the argument restoreFile can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11939"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/uartu0/advisories/blob/main/churchcrm-path-traversal-rce-2025.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.329015"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.329015"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.671101"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-19T08:15:33Z"
+  }
+}