Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/04/GHSA-fqm9-qqwf-gq9r/GHSA-fqm9-qqwf-gq9r.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fqm9-qqwf-gq9r",
-  "modified": "2025-05-15T12:30:26Z",
+  "modified": "2025-10-21T18:30:29Z",
   "published": "2025-04-23T21:30:36Z",
   "aliases": [
     "CVE-2025-46397"

advisories/unreviewed/2025/10/GHSA-2928-r2w9-gm4x/GHSA-2928-r2w9-gm4x.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2928-r2w9-gm4x",
+  "modified": "2025-10-21T18:30:35Z",
+  "published": "2025-10-21T18:30:35Z",
+  "aliases": [
+    "CVE-2025-62763"
+  ],
+  "details": "Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62763"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.zimbra.com/2025/10/patch-release-update-zimbra-10-1-12"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wiki.zimbra.com/wiki/Security_Center"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.12"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-21T17:15:41Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-2rvw-jrp7-x2vg/GHSA-2rvw-jrp7-x2vg.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2rvw-jrp7-x2vg",
+  "modified": "2025-10-21T18:30:35Z",
+  "published": "2025-10-21T18:30:35Z",
+  "aliases": [
+    "CVE-2025-60427"
+  ],
+  "details": "LibreTime 3.0.0-alpha.10 and possibly earlier is vulnerable to Broken Access Control, where a user with the DJ role can access analytics data via the Web UI and direct API calls. The backend does not verify role-based permissions for analytics endpoints, allowing unauthorized retrieval of station-wide metrics. This results in information disclosure to less privileged users.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60427"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/libretime/libretime/issues/1251"
+    },
+    {
+      "type": "WEB",
+      "url": "https://beafn28.gitbook.io/beafn28/cve/broken-access-control-in-libretime-analytics-endpoints-cve-2025-60427"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/libretime/libretime"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-21T18:15:36Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-3jx5-x6hv-w267/GHSA-3jx5-x6hv-w267.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3jx5-x6hv-w267",
-  "modified": "2025-10-13T09:30:24Z",
+  "modified": "2025-10-21T18:30:31Z",
   "published": "2025-10-13T09:30:24Z",
   "aliases": [
     "CVE-2025-27259"
   ],
   "details": "Ericsson Network Manager versions prior to ENM 25.2 GA contain a vulnerability that, if exploited, can exfiltrate limited data or redirect victims to other sites or domains.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/10/GHSA-464p-mh7x-6549/GHSA-464p-mh7x-6549.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-464p-mh7x-6549",
+  "modified": "2025-10-21T18:30:35Z",
+  "published": "2025-10-21T18:30:35Z",
+  "aliases": [
+    "CVE-2025-11757"
+  ],
+  "details": "The CloudEdge Cloud does not sanitize the MQTT topic input, which could allow an attacker to leverage the MQTT wildcard to receive all the messages that should be delivered to other users by subscribing to the a MQTT topic. In these messages, the attacker can obtain the credentials and key information to connect to the cameras from peer to peer.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11757"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-05"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-155"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-21T18:15:35Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-6j5c-gc78-pqgr/GHSA-6j5c-gc78-pqgr.json

@@ -34,7 +34,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-305"
+      "CWE-305",
+      "CWE-307"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/10/GHSA-6p74-jjw6-9j89/GHSA-6p74-jjw6-9j89.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6p74-jjw6-9j89",
+  "modified": "2025-10-21T18:30:35Z",
+  "published": "2025-10-21T18:30:35Z",
+  "aliases": [
+    "CVE-2025-60772"
+  ],
+  "details": "Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60772"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/navy-birds-MRS/vuln-reports/blob/main/vendors/netlink/CVE-2025-60772/advisory.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://netlinkict.com/shop/gpon-ont/gpon-ont-hg322g"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-21T17:15:40Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-6pgj-w687-9c8c/GHSA-6pgj-w687-9c8c.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6pgj-w687-9c8c",
+  "modified": "2025-10-21T18:30:35Z",
+  "published": "2025-10-21T18:30:35Z",
+  "aliases": [
+    "CVE-2025-62250"
+  ],
+  "details": "Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to send malicious data to the Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions that will treat it as trusted data via unauthenticated cluster messages.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62250"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62250"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-346"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-21T16:15:38Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-7f63-wvmx-66p2/GHSA-7f63-wvmx-66p2.json

@@ -0,0 +1,46 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7f63-wvmx-66p2",
+  "modified": "2025-10-21T18:30:35Z",
+  "published": "2025-10-21T18:30:35Z",
+  "aliases": [
+    "CVE-2025-60507"
+  ],
+  "details": "Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60507"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/onurcangnc/moodle_genai_plugin_xss"
+    },
+    {
+      "type": "WEB",
+      "url": "https://moodle.org/plugins/local_geniai"
+    },
+    {
+      "type": "WEB",
+      "url": "https://moodle.org/security"
+    },
+    {
+      "type": "WEB",
+      "url": "https://onurcangenc.com.tr/posts/moodle-genia%C4%B1-plugin-vulnerability-stored-reflected-xss-via-pdf-upload-and-chatbot-%C4%B1nput"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-21T18:15:36Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-7vgg-mch2-66mr/GHSA-7vgg-mch2-66mr.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7vgg-mch2-66mr",
-  "modified": "2025-10-14T18:30:34Z",
+  "modified": "2025-10-21T18:30:31Z",
   "published": "2025-10-14T18:30:34Z",
   "aliases": [
     "CVE-2025-59214"
@@ -19,6 +19,14 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59214"
     },
+    {
+      "type": "WEB",
+      "url": "https://cymulate.com/blog/ntlm-leak-cve-2025-59214"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubenformation/CVE-2025-50154"
+    },
     {
       "type": "WEB",
       "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59214"