Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2025/11/GHSA-4rwr-8c3m-55f6/GHSA-4rwr-8c3m-55f6.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4rwr-8c3m-55f6",
+  "modified": "2025-11-10T21:30:44Z",
+  "published": "2025-11-10T21:30:44Z",
+  "aliases": [
+    "CVE-2025-64519"
+  ],
+  "summary": "TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter",
+  "details": "### Summary\nAn authenticated SQL injection vulnerability exists in the moderator control panel (`modcp.php`). Users with moderator permissions can exploit this vulnerability by supplying a malicious `topic_id` (`t`) parameter. This allows an authenticated moderator to execute arbitrary SQL queries, leading to the potential disclosure, modification, or deletion of any data in the database.\n\n### Details\nThe vulnerability is triggered when `modcp.php` processes a request that includes a `topic_id` (`t` parameter). The value of `$topic_id` is taken directly from user input and is not sanitized or parameterized before being concatenated into an SQL query.\n\nThis occurs within the initial data retrieval block for a given topic ID.\n\n**Vulnerable Code Block in `modcp.php` (lines 111-122):**\n```php\nif ($topic_id) {\n    $sql = \"\n\t\tSELECT\n\t\t\tf.forum_id, f.forum_name, f.forum_topics, f.self_moderated,\n\t\t\tt.topic_first_post_id, t.topic_poster\n\t\tFROM \" . BB_TOPICS . \" t, \" . BB_FORUMS . \" f\n\t\tWHERE t.topic_id = $topic_id\n\t\t\tAND f.forum_id = t.forum_id\n\t\tLIMIT 1\n\t\";\n\n    if (!$topic_row = DB()->fetch_row($sql)) {\n        bb_die($lang['INVALID_TOPIC_ID_DB']);\n    }\n    // ...\n}\n```\nIn the `WHERE t.topic_id = $topic_id` clause, the `$topic_id` variable is directly embedded into the query string. An attacker can inject SQL syntax (e.g., boolean logic, time-based functions) into the `t` parameter to manipulate the query's execution.\n\n### PoC\nThis is a time-based blind SQL injection vulnerability that requires moderator privileges.\n\n**Prerequisites:**\n1.  A running instance of TorrentPier.\n2.  An account with moderator permissions.\n\n**Steps to Reproduce:**\n\n1.  Log in as a moderator.\n2.  Obtain the full session cookie string from the browser's developer tools.\n3.  Use `sqlmap` to automate the exploitation. The tool will test the `t` parameter for vulnerabilities.\n\n**`sqlmap` Command:**\n*(Note: Replace `https://localhost` with the target URL and `\"your_full_cookie_string\"` with the actual cookie data from the browser session, e.g., `\"key1=value1; key2=value2\"`)*.\n\n```bash\nsqlmap -u \"https://localhost/modcp.php?mode=lock&t=1\" -p t --cookie \"your_full_cookie_string\" --dbms mysql --technique T --current-db\n```\n\n**`sqlmap` Output Confirmation:**\nThe following output from `sqlmap` confirms successful exploitation:\n```\n---\nParameter: t (GET)\n    Type: time-based blind\n    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n    Payload: mode=lock&t=1 AND (SELECT 9461 FROM (SELECT(SLEEP(5)))KxhM)\n---\n[INFO] the back-end DBMS is MySQL\n[INFO] fetching current database\n[INFO] retrieved: torrentpier\ncurrent database: 'torrentpier'\n```\n\n### Impact\nThis is an authenticated SQL Injection vulnerability. Although it requires moderator privileges, it is still severe. A malicious or compromised moderator account can leverage this vulnerability to:\n\n*   **Read sensitive data:** Extract any information from the database, including user credentials (password hashes), private messages, email addresses, and other private data.\n*   **Modify data:** Alter records in the database, such as elevating their own or other users' privileges to administrator level.\n*   **Delete data:** Corrupt or destroy forum data by dropping tables or deleting records.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "torrentpier/torrentpier"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.8.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/torrentpier/torrentpier/security/advisories/GHSA-4rwr-8c3m-55f6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/torrentpier/torrentpier/commit/6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/torrentpier/torrentpier"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-10T21:30:44Z",
+    "nvd_published_at": null
+  }
+}

advisories/unreviewed/2025/05/GHSA-262x-vpc4-rwc6/GHSA-262x-vpc4-rwc6.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-262x-vpc4-rwc6",
-  "modified": "2025-05-01T15:31:49Z",
+  "modified": "2025-11-10T21:30:28Z",
   "published": "2025-05-01T15:31:49Z",
   "aliases": [
     "CVE-2022-49838"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: clear out_curr if all frag chunks of current msg are pruned\n\nA crash was reported by Zhen Chen:\n\n  list_del corruption, ffffa035ddf01c18->next is NULL\n  WARNING: CPU: 1 PID: 250682 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xe0\n  RIP: 0010:__list_del_entry_valid+0x59/0xe0\n  Call Trace:\n   sctp_sched_dequeue_common+0x17/0x70 [sctp]\n   sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]\n   sctp_outq_flush_data+0x85/0x360 [sctp]\n   sctp_outq_uncork+0x77/0xa0 [sctp]\n   sctp_cmd_interpreter.constprop.0+0x164/0x1450 [sctp]\n   sctp_side_effects+0x37/0xe0 [sctp]\n   sctp_do_sm+0xd0/0x230 [sctp]\n   sctp_primitive_SEND+0x2f/0x40 [sctp]\n   sctp_sendmsg_to_asoc+0x3fa/0x5c0 [sctp]\n   sctp_sendmsg+0x3d5/0x440 [sctp]\n   sock_sendmsg+0x5b/0x70\n\nand in sctp_sched_fcfs_dequeue() it dequeued a chunk from stream\nout_curr outq while this outq was empty.\n\nNormally stream->out_curr must be set to NULL once all frag chunks of\ncurrent msg are dequeued, as we can see in sctp_sched_dequeue_done().\nHowever, in sctp_prsctp_prune_unsent() as it is not a proper dequeue,\nsctp_sched_dequeue_done() is not called to do this.\n\nThis patch is to fix it by simply setting out_curr to NULL when the\nlast frag chunk of current msg is dequeued from out_curr stream in\nsctp_prsctp_prune_unsent().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -33,7 +38,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T15:16:07Z"

advisories/unreviewed/2025/05/GHSA-2cfw-3h9f-mpm2/GHSA-2cfw-3h9f-mpm2.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2cfw-3h9f-mpm2",
-  "modified": "2025-05-01T15:31:50Z",
+  "modified": "2025-11-10T21:30:29Z",
   "published": "2025-05-01T15:31:50Z",
   "aliases": [
     "CVE-2022-49859"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lapbether: fix issue of invalid opcode in lapbeth_open()\n\nIf lapb_register() failed when lapb device goes to up for the first time,\nthe NAPI is not disabled. As a result, the invalid opcode issue is\nreported when the lapb device goes to up for the second time.\n\nThe stack info is as follows:\n[ 1958.311422][T11356] kernel BUG at net/core/dev.c:6442!\n[ 1958.312206][T11356] invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n[ 1958.315979][T11356] RIP: 0010:napi_enable+0x16a/0x1f0\n[ 1958.332310][T11356] Call Trace:\n[ 1958.332817][T11356]  <TASK>\n[ 1958.336135][T11356]  lapbeth_open+0x18/0x90\n[ 1958.337446][T11356]  __dev_open+0x258/0x490\n[ 1958.341672][T11356]  __dev_change_flags+0x4d4/0x6a0\n[ 1958.345325][T11356]  dev_change_flags+0x93/0x160\n[ 1958.346027][T11356]  devinet_ioctl+0x1276/0x1bf0\n[ 1958.346738][T11356]  inet_ioctl+0x1c8/0x2d0\n[ 1958.349638][T11356]  sock_ioctl+0x5d1/0x750\n[ 1958.356059][T11356]  __x64_sys_ioctl+0x3ec/0x1790\n[ 1958.365594][T11356]  do_syscall_64+0x35/0x80\n[ 1958.366239][T11356]  entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 1958.377381][T11356]  </TASK>",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T15:16:09Z"

advisories/unreviewed/2025/05/GHSA-3x67-44wh-mrgf/GHSA-3x67-44wh-mrgf.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3x67-44wh-mrgf",
-  "modified": "2025-11-03T21:33:55Z",
+  "modified": "2025-11-10T21:30:30Z",
   "published": "2025-05-20T18:30:55Z",
   "aliases": [
     "CVE-2025-37924"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in kerberos authentication\n\nSetting sess->user = NULL was introduced to fix the dangling pointer\ncreated by ksmbd_free_user. However, it is possible another thread could\nbe operating on the session and make use of sess->user after it has been\npassed to ksmbd_free_user but before sess->user is set to NULL.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-20T16:15:29Z"

advisories/unreviewed/2025/05/GHSA-3x6x-q36v-32gj/GHSA-3x6x-q36v-32gj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3x6x-q36v-32gj",
-  "modified": "2025-05-01T15:31:51Z",
+  "modified": "2025-11-10T21:30:29Z",
   "published": "2025-05-01T15:31:51Z",
   "aliases": [
     "CVE-2022-49883"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: smm: number of GPRs in the SMRAM image depends on the image format\n\nOn 64 bit host, if the guest doesn't have X86_FEATURE_LM, KVM will\naccess 16 gprs to 32-bit smram image, causing out-ouf-bound ram\naccess.\n\nOn 32 bit host, the rsm_load_state_64/enter_smm_save_state_64\nis compiled out, thus access overflow can't happen.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T15:16:13Z"

advisories/unreviewed/2025/05/GHSA-4jq9-rx3w-p8vg/GHSA-4jq9-rx3w-p8vg.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4jq9-rx3w-p8vg",
-  "modified": "2025-05-01T15:31:49Z",
+  "modified": "2025-11-10T21:30:28Z",
   "published": "2025-05-01T15:31:49Z",
   "aliases": [
     "CVE-2022-49836"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsiox: fix possible memory leak in siox_device_add()\n\nIf device_register() returns error in siox_device_add(),\nthe name allocated by dev_set_name() need be freed. As\ncomment of device_register() says, it should use put_device()\nto give up the reference in the error path. So fix this\nby calling put_device(), then the name can be freed in\nkobject_cleanup(), and sdevice is freed in siox_device_release(),\nset it to null in error path.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T15:16:07Z"

advisories/unreviewed/2025/05/GHSA-4m85-4x3p-6jmv/GHSA-4m85-4x3p-6jmv.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4m85-4x3p-6jmv",
-  "modified": "2025-05-01T15:31:51Z",
+  "modified": "2025-11-10T21:30:29Z",
   "published": "2025-05-01T15:31:51Z",
   "aliases": [
     "CVE-2022-49884"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Initialize gfn_to_pfn_cache locks in dedicated helper\n\nMove the gfn_to_pfn_cache lock initialization to another helper and\ncall the new helper during VM/vCPU creation.  There are race\nconditions possible due to kvm_gfn_to_pfn_cache_init()'s\nability to re-initialize the cache's locks.\n\nFor example: a race between ioctl(KVM_XEN_HVM_EVTCHN_SEND) and\nkvm_gfn_to_pfn_cache_init() leads to a corrupted shinfo gpc lock.\n\n                (thread 1)                |           (thread 2)\n                                          |\n kvm_xen_set_evtchn_fast                  |\n  read_lock_irqsave(&gpc->lock, ...)      |\n                                          | kvm_gfn_to_pfn_cache_init\n                                          |  rwlock_init(&gpc->lock)\n  read_unlock_irqrestore(&gpc->lock, ...) |\n\nRename \"cache_init\" and \"cache_destroy\" to activate+deactivate to\navoid implying that the cache really is destroyed/freed.\n\nNote, there more races in the newly named kvm_gpc_activate() that will\nbe addressed separately.\n\n[sean: call out that this is a bug fix]",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T15:16:13Z"

advisories/unreviewed/2025/05/GHSA-4qc6-52f6-6vgr/GHSA-4qc6-52f6-6vgr.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4qc6-52f6-6vgr",
-  "modified": "2025-05-20T18:30:54Z",
+  "modified": "2025-11-10T21:30:29Z",
   "published": "2025-05-20T18:30:54Z",
   "aliases": [
     "CVE-2025-37920"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix race condition in AF_XDP generic RX path\n\nMove rx_lock from xsk_socket to xsk_buff_pool.\nFix synchronization for shared umem mode in\ngeneric RX path where multiple sockets share\nsingle xsk_buff_pool.\n\nRX queue is exclusive to xsk_socket, while FILL\nqueue can be shared between multiple sockets.\nThis could result in race condition where two\nCPU cores access RX path of two different sockets\nsharing the same umem.\n\nProtect both queues by acquiring spinlock in shared\nxsk_buff_pool.\n\nLock contention may be minimized in the future by some\nper-thread FQ buffering.\n\nIt's safe and necessary to move spin_lock_bh(rx_lock)\nafter xsk_rcv_check():\n* xs->pool and spinlock_init is synchronized by\n  xsk_bind() -> xsk_is_bound() memory barriers.\n* xsk_rcv_check() may return true at the moment\n  of xsk_release() or xsk_unbind_dev(),\n  however this will not cause any data races or\n  race conditions. xsk_unbind_dev() removes xdp\n  socket from all maps and waits for completion\n  of all outstanding rx operations. Packets in\n  RX path will either complete safely or drop.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-20T16:15:28Z"

advisories/unreviewed/2025/05/GHSA-4vff-8c4j-m2j6/GHSA-4vff-8c4j-m2j6.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4vff-8c4j-m2j6",
-  "modified": "2025-05-01T15:31:49Z",
+  "modified": "2025-11-10T21:30:28Z",
   "published": "2025-05-01T15:31:49Z",
   "aliases": [
     "CVE-2022-49831"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: initialize device's zone info for seeding\n\nWhen performing seeding on a zoned filesystem it is necessary to\ninitialize each zoned device's btrfs_zoned_device_info structure,\notherwise mounting the filesystem will cause a NULL pointer dereference.\n\nThis was uncovered by fstests' testcase btrfs/163.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T15:16:06Z"

advisories/unreviewed/2025/05/GHSA-4vrr-6gm8-fwf2/GHSA-4vrr-6gm8-fwf2.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4vrr-6gm8-fwf2",
-  "modified": "2025-05-01T15:31:48Z",
+  "modified": "2025-11-10T21:30:27Z",
   "published": "2025-05-01T15:31:48Z",
   "aliases": [
     "CVE-2022-49823"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-transport: fix error handling in ata_tdev_add()\n\nIn ata_tdev_add(), the return value of transport_add_device() is\nnot checked. As a result, it causes null-ptr-deref while removing\nthe module, because transport_remove_device() is called to remove\nthe device that was not added.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\nCPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G        W          6.1.0-rc3+ #36\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x48/0x3a0\nlr : device_del+0x44/0x3a0\nCall trace:\n device_del+0x48/0x3a0\n attribute_container_class_device_del+0x28/0x40\n transport_remove_classdev+0x60/0x7c\n attribute_container_device_trigger+0x118/0x120\n transport_remove_device+0x20/0x30\n ata_tdev_delete+0x24/0x50 [libata]\n ata_tlink_delete+0x40/0xa0 [libata]\n ata_tport_delete+0x2c/0x60 [libata]\n ata_port_detach+0x148/0x1b0 [libata]\n ata_pci_remove_one+0x50/0x80 [libata]\n ahci_remove_one+0x4c/0x8c [ahci]\n\nFix this by checking and handling return value of transport_add_device()\nin ata_tdev_add(). In the error path, device_del() is called to delete\nthe device which was added earlier in this function, and ata_tdev_free()\nis called to free ata_dev.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T15:16:05Z"