Publish Advisories

GHSA-f823-phmg-x5fr
GHSA-q285-wfpg-93hr

Author: advisory-database[bot]

…-f823-phmg-x5fr/GHSA-f823-phmg-x5fr.json …-f823-phmg-x5fr/GHSA-f823-phmg-x5fr.jsonadvisories/unreviewed/2025/06/GHSA-f823-phmg-x5fr/GHSA-f823-phmg-x5fr.json renamed to advisories/github-reviewed/2025/06/GHSA-f823-phmg-x5fr/GHSA-f823-phmg-x5fr.json advisories/unreviewed/2025/06/GHSA-f823-phmg-x5fr/GHSA-f823-phmg-x5fr.json renamed to advisories/github-reviewed/2025/06/GHSA-f823-phmg-x5fr/GHSA-f823-phmg-x5fr.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f823-phmg-x5fr",
-  "modified": "2025-06-29T09:30:23Z",
+  "modified": "2025-11-03T20:14:59Z",
   "published": "2025-06-29T09:30:23Z",
   "aliases": [
     "CVE-2025-6855"
   ],
+  "summary": "Langchain-Chatchat vulnerable to path traversal",
   "details": "A vulnerability, which was classified as critical, has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This issue affects some unknown processing of the file /v1/file. The manipulation of the argument flag leads to path traversal. The exploit has been disclosed to the public and may be used.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "langchain-chatchat"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.3.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -27,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/chatchat-space/Langchain-Chatchat/issues/5354"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/chatchat-space/Langchain-Chatchat"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/?ctiid.314327"
@@ -44,9 +69,9 @@
     "cwe_ids": [
       "CWE-22"
     ],
-    "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-03T20:14:58Z",
     "nvd_published_at": "2025-06-29T09:15:24Z"
   }
 }

…-q285-wfpg-93hr/GHSA-q285-wfpg-93hr.json …-q285-wfpg-93hr/GHSA-q285-wfpg-93hr.jsonadvisories/unreviewed/2025/10/GHSA-q285-wfpg-93hr/GHSA-q285-wfpg-93hr.json renamed to advisories/github-reviewed/2025/10/GHSA-q285-wfpg-93hr/GHSA-q285-wfpg-93hr.json advisories/unreviewed/2025/10/GHSA-q285-wfpg-93hr/GHSA-q285-wfpg-93hr.json renamed to advisories/github-reviewed/2025/10/GHSA-q285-wfpg-93hr/GHSA-q285-wfpg-93hr.json

@@ -1,24 +1,53 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q285-wfpg-93hr",
-  "modified": "2025-10-31T21:31:02Z",
+  "modified": "2025-11-03T20:16:18Z",
   "published": "2025-10-31T21:31:02Z",
   "aliases": [
     "CVE-2025-62267"
   ],
+  "summary": "Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page",
   "details": "Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay:com.liferay.dynamic.data.mapping.item.selector.web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.0.9"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62267"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.atlassian.net/browse/LPE-17900"
+    },
     {
       "type": "WEB",
       "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62267"
@@ -29,8 +58,8 @@
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-03T20:16:18Z",
     "nvd_published_at": "2025-10-31T19:15:50Z"
   }
 }