Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8d5d2fe456cb · 2025-11-06T23:49:56.000Z
GHSA-rhff-65hp-55rw GHSA-fv2r-r8mp-pg48 GHSA-rhff-65hp-55rw
diff --git a/advisories/github-reviewed/2022/05/GHSA-rhff-65hp-55rw/GHSA-rhff-65hp-55rw.json b/advisories/github-reviewed/2022/05/GHSA-rhff-65hp-55rw/GHSA-rhff-65hp-55rw.json
@@ -0,0 +1,112 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rhff-65hp-55rw",
+  "modified": "2025-11-06T23:48:04Z",
+  "published": "2022-05-24T19:12:47Z",
+  "aliases": [
+    "CVE-2021-36030"
+  ],
+  "summary": "Magento allows attackers to alter the price of items",
+  "details": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items.",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "magento/project-community-edition"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.0.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "magento/community-edition"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.3.7-p1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "magento/community-edition"
+      },
+      "versions": [
+        "2.3.7"
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "magento/community-edition"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.4.2-p1"
+            },
+            {
+              "fixed": "2.4.2-p2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "magento/community-edition"
+      },
+      "versions": [
+        "2.4.2"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36030"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/magento/magento2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-06T23:48:04Z",
+    "nvd_published_at": "2021-09-01T15:15:00Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/11/GHSA-fv2r-r8mp-pg48/GHSA-fv2r-r8mp-pg48.json b/advisories/github-reviewed/2025/11/GHSA-fv2r-r8mp-pg48/GHSA-fv2r-r8mp-pg48.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fv2r-r8mp-pg48",
+  "modified": "2025-11-06T23:48:12Z",
+  "published": "2025-11-06T23:48:12Z",
+  "aliases": [
+    "CVE-2025-64494"
+  ],
+  "summary": "Soft Serve does not sanitize ANSI escape sequences in user input",
+  "details": "### Impact\nIn several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts.\n\nIn the same token, git messages, when printed, are also not being sanitized.\n\nPlaces in which this was found:\n\n1. Repository Description (pkg/backend/repo.go - SetDescription)\n2. Repository Project Name (pkg/backend/repo.go - SetProjectName)\n3. Git Commit Author Names (pkg/ssh/cmd/commit.go:69)\n4. Git Commit Messages (pkg/ssh/cmd/commit.go:71)\n5. Access Token Names (pkg/ssh/cmd/token.go:107)\n6. Webhook URLs (pkg/ssh/cmd/webhooks.go:72)\n\n### Patches\nv0.11.0\n\n### Workarounds\nNo.\n\n### References\nn/a",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/charmbracelet/soft-serve"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.11.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.10.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-fv2r-r8mp-pg48"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/commit/d9639320b8d0ccd76fe6836a042c042b0ebde549"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/charmbracelet/soft-serve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-150"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-06T23:48:12Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/unreviewed/2022/05/GHSA-rhff-65hp-55rw/GHSA-rhff-65hp-55rw.json b/advisories/unreviewed/2022/05/GHSA-rhff-65hp-55rw/GHSA-rhff-65hp-55rw.json
