Publish Advisories

GHSA-34j4-424f-xr64
GHSA-3q6q-gxwr-7gqv
GHSA-8jr5-3mrg-hm2v
GHSA-96px-f628-2m88
GHSA-cxwj-2rvj-cg44
GHSA-g3v9-6rgp-gh2r
GHSA-g75q-8q7j-ggf3
GHSA-hxpf-jx7m-hmj8
GHSA-m536-ggcv-cwmj
GHSA-qjqw-2rg5-mqgm
GHSA-rf7c-qh7c-23vw
GHSA-xxv4-5prv-8f29

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-34j4-424f-xr64/GHSA-34j4-424f-xr64.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-34j4-424f-xr64",
+  "modified": "2025-12-25T06:30:26Z",
+  "published": "2025-12-25T06:30:26Z",
+  "aliases": [
+    "CVE-2025-66378"
+  ],
+  "details": "Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66378"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.pexip.com/admin/security_bulletins.htm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-25T05:16:09Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-3q6q-gxwr-7gqv/GHSA-3q6q-gxwr-7gqv.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3q6q-gxwr-7gqv",
+  "modified": "2025-12-25T06:30:26Z",
+  "published": "2025-12-25T06:30:26Z",
+  "aliases": [
+    "CVE-2025-48704"
+  ],
+  "details": "Pexip Infinity 35.0 through 37.2 before 38.0 has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48704"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.pexip.com/admin/security_bulletins.htm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-617"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-25T05:16:07Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-8jr5-3mrg-hm2v/GHSA-8jr5-3mrg-hm2v.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8jr5-3mrg-hm2v",
+  "modified": "2025-12-25T06:30:26Z",
+  "published": "2025-12-25T06:30:25Z",
+  "aliases": [
+    "CVE-2025-32095"
+  ],
+  "details": "Pexip Infinity before 37.0 has improper input validation in signalling that allows a remote attacker to trigger a software abort via a crafted signalling message, resulting in a denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32095"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.pexip.com/admin/security_bulletins.htm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-617"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-25T05:16:06Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-96px-f628-2m88/GHSA-96px-f628-2m88.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-96px-f628-2m88",
+  "modified": "2025-12-25T06:30:26Z",
+  "published": "2025-12-25T06:30:26Z",
+  "aliases": [
+    "CVE-2025-66443"
+  ],
+  "details": "Pexip Infinity 35.0 through 38.1 before 39.0, in non-default configurations that use Direct Media for WebRTC, has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a temporary denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66443"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.pexip.com/admin/security_bulletins.htm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-617"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-25T05:16:09Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-cxwj-2rvj-cg44/GHSA-cxwj-2rvj-cg44.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cxwj-2rvj-cg44",
+  "modified": "2025-12-25T06:30:26Z",
+  "published": "2025-12-25T06:30:26Z",
+  "aliases": [
+    "CVE-2025-66377"
+  ],
+  "details": "Pexip Infinity before 39.0 has Missing Authentication for a Critical Function in a product-internal API, allowing an attacker (who already has access to execute code on one node within a Pexip Infinity installation) to impact the operation of other nodes within the installation.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66377"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.pexip.com/admin/security_bulletins.htm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-25T05:16:09Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-g3v9-6rgp-gh2r/GHSA-g3v9-6rgp-gh2r.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g3v9-6rgp-gh2r",
+  "modified": "2025-12-25T06:30:26Z",
+  "published": "2025-12-25T06:30:26Z",
+  "aliases": [
+    "CVE-2025-59683"
+  ],
+  "details": "Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59683"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.pexip.com/admin/security_bulletins.htm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-25T05:16:07Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-g75q-8q7j-ggf3/GHSA-g75q-8q7j-ggf3.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g75q-8q7j-ggf3",
+  "modified": "2025-12-25T06:30:26Z",
+  "published": "2025-12-25T06:30:26Z",
+  "aliases": [
+    "CVE-2025-66379"
+  ],
+  "details": "Pexip Infinity before 39.0 has Improper Input Validation in the media implementation, allowing a remote attacker to trigger a software abort via a crafted media stream, resulting in a denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66379"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.pexip.com/admin/security_bulletins.htm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-617"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-25T05:16:09Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-hxpf-jx7m-hmj8/GHSA-hxpf-jx7m-hmj8.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hxpf-jx7m-hmj8",
+  "modified": "2025-12-25T06:30:25Z",
+  "published": "2025-12-25T06:30:25Z",
+  "aliases": [
+    "CVE-2025-15077"
+  ],
+  "details": "A security vulnerability has been detected in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /form137.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15077"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BUPT424201/CVE/issues/2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338334"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338334"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.721484"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-25T04:15:43Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-m536-ggcv-cwmj/GHSA-m536-ggcv-cwmj.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m536-ggcv-cwmj",
+  "modified": "2025-12-25T06:30:26Z",
+  "published": "2025-12-25T06:30:25Z",
+  "aliases": [
+    "CVE-2025-15078"
+  ],
+  "details": "A vulnerability was detected in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /list_report.php. The manipulation of the argument sy results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15078"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BUPT424201/CVE/issues/3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338335"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338335"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.721485"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-25T05:16:04Z"
+  }
+}