Skip to content

Commit 6fe9281

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-7hrj-3c9x-xv5h GHSA-h4f4-gv6h-x824 GHSA-7hrj-3c9x-xv5h GHSA-h4f4-gv6h-x824
1 parent b3b2ee8 commit 6fe9281

File tree

4 files changed

+384
-72
lines changed

4 files changed

+384
-72
lines changed

advisories/github-reviewed/2025/08/GHSA-7hrj-3c9x-xv5h/GHSA-7hrj-3c9x-xv5h.json

Lines changed: 192 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,192 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-7hrj-3c9x-xv5h",
4+
"modified": "2025-10-21T21:36:58Z",
5+
"published": "2025-08-12T18:31:30Z",
6+
"aliases": [
7+
"CVE-2025-49556"
8+
],
9+
"summary": "Magento has incorrect authorization issue that leads to arbitrary file system read",
10+
"details": "Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "magento/project-community-edition"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "2.0.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "magento/community-edition"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "2.4.9-alpha1"
48+
},
49+
{
50+
"fixed": "2.4.9-alpha2"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "magento/community-edition"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "2.4.8-beta1"
67+
},
68+
{
69+
"fixed": "2.4.8-p2"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Packagist",
78+
"name": "magento/community-edition"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "2.4.7-beta1"
86+
},
87+
{
88+
"fixed": "2.4.7-p7"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Packagist",
97+
"name": "magento/community-edition"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "2.4.6-p1"
105+
},
106+
{
107+
"fixed": "2.4.6-p12"
108+
}
109+
]
110+
}
111+
]
112+
},
113+
{
114+
"package": {
115+
"ecosystem": "Packagist",
116+
"name": "magento/community-edition"
117+
},
118+
"ranges": [
119+
{
120+
"type": "ECOSYSTEM",
121+
"events": [
122+
{
123+
"introduced": "0"
124+
},
125+
{
126+
"fixed": "2.4.5-p14"
127+
}
128+
]
129+
}
130+
]
131+
},
132+
{
133+
"package": {
134+
"ecosystem": "Packagist",
135+
"name": "magento/community-edition"
136+
},
137+
"versions": [
138+
"2.4.5"
139+
]
140+
},
141+
{
142+
"package": {
143+
"ecosystem": "Packagist",
144+
"name": "magento/community-edition"
145+
},
146+
"versions": [
147+
"2.4.6"
148+
]
149+
},
150+
{
151+
"package": {
152+
"ecosystem": "Packagist",
153+
"name": "magento/community-edition"
154+
},
155+
"versions": [
156+
"2.4.7"
157+
]
158+
},
159+
{
160+
"package": {
161+
"ecosystem": "Packagist",
162+
"name": "magento/community-edition"
163+
},
164+
"versions": [
165+
"2.4.8"
166+
]
167+
}
168+
],
169+
"references": [
170+
{
171+
"type": "ADVISORY",
172+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49556"
173+
},
174+
{
175+
"type": "PACKAGE",
176+
"url": "https://github.com/magento/magento2"
177+
},
178+
{
179+
"type": "WEB",
180+
"url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html"
181+
}
182+
],
183+
"database_specific": {
184+
"cwe_ids": [
185+
"CWE-863"
186+
],
187+
"severity": "HIGH",
188+
"github_reviewed": true,
189+
"github_reviewed_at": "2025-10-21T21:36:58Z",
190+
"nvd_published_at": "2025-08-12T18:15:29Z"
191+
}
192+
}

advisories/github-reviewed/2025/08/GHSA-h4f4-gv6h-x824/GHSA-h4f4-gv6h-x824.json

Lines changed: 192 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,192 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-h4f4-gv6h-x824",
4+
"modified": "2025-10-21T21:37:08Z",
5+
"published": "2025-08-12T18:31:30Z",
6+
"aliases": [
7+
"CVE-2025-49559"
8+
],
9+
"summary": "Magento vulnerable to path traversal",
10+
"details": "Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "magento/project-community-edition"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "2.0.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "magento/community-edition"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "2.4.9-alpha1"
48+
},
49+
{
50+
"fixed": "2.4.9-alpha2"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "magento/community-edition"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "2.4.8-beta1"
67+
},
68+
{
69+
"fixed": "2.4.8-p2"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Packagist",
78+
"name": "magento/community-edition"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "2.4.7-beta1"
86+
},
87+
{
88+
"fixed": "2.4.7-p7"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Packagist",
97+
"name": "magento/community-edition"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "2.4.6-p1"
105+
},
106+
{
107+
"fixed": "2.4.6-p12"
108+
}
109+
]
110+
}
111+
]
112+
},
113+
{
114+
"package": {
115+
"ecosystem": "Packagist",
116+
"name": "magento/community-edition"
117+
},
118+
"ranges": [
119+
{
120+
"type": "ECOSYSTEM",
121+
"events": [
122+
{
123+
"introduced": "0"
124+
},
125+
{
126+
"fixed": "2.4.5-p14"
127+
}
128+
]
129+
}
130+
]
131+
},
132+
{
133+
"package": {
134+
"ecosystem": "Packagist",
135+
"name": "magento/community-edition"
136+
},
137+
"versions": [
138+
"2.4.5"
139+
]
140+
},
141+
{
142+
"package": {
143+
"ecosystem": "Packagist",
144+
"name": "magento/community-edition"
145+
},
146+
"versions": [
147+
"2.4.6"
148+
]
149+
},
150+
{
151+
"package": {
152+
"ecosystem": "Packagist",
153+
"name": "magento/community-edition"
154+
},
155+
"versions": [
156+
"2.4.7"
157+
]
158+
},
159+
{
160+
"package": {
161+
"ecosystem": "Packagist",
162+
"name": "magento/community-edition"
163+
},
164+
"versions": [
165+
"2.4.8"
166+
]
167+
}
168+
],
169+
"references": [
170+
{
171+
"type": "ADVISORY",
172+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49559"
173+
},
174+
{
175+
"type": "PACKAGE",
176+
"url": "https://github.com/magento/magento2"
177+
},
178+
{
179+
"type": "WEB",
180+
"url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html"
181+
}
182+
],
183+
"database_specific": {
184+
"cwe_ids": [
185+
"CWE-22"
186+
],
187+
"severity": "MODERATE",
188+
"github_reviewed": true,
189+
"github_reviewed_at": "2025-10-21T21:37:08Z",
190+
"nvd_published_at": "2025-08-12T18:15:29Z"
191+
}
192+
}

0 commit comments

Comments
 (0)