Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2022/05/GHSA-8966-pp95-9j6j/GHSA-8966-pp95-9j6j.json

@@ -1,19 +1,28 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8966-pp95-9j6j",
-  "modified": "2022-05-24T17:29:01Z",
+  "modified": "2025-12-23T15:30:25Z",
   "published": "2022-05-24T17:29:01Z",
   "aliases": [
     "CVE-2020-25787"
   ],
   "details": "An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25787"
     },
+    {
+      "type": "WEB",
+      "url": "https://blog.neagaru.com/p/exploiting-tiny-tiny-rss-2020"
+    },
     {
       "type": "WEB",
       "url": "https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799"

advisories/unreviewed/2024/11/GHSA-wfh7-4g7r-cxxq/GHSA-wfh7-4g7r-cxxq.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wfh7-4g7r-cxxq",
-  "modified": "2025-11-03T21:31:36Z",
+  "modified": "2025-12-23T15:30:25Z",
   "published": "2024-11-14T21:32:03Z",
   "aliases": [
     "CVE-2024-10397"
@@ -30,6 +30,10 @@
     {
       "type": "WEB",
       "url": "https://openafs.org/pages/security/OPENAFS-SA-2024-003.txt"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openafs.org/pages/security/OPENAFS-SA-2024-003.txt"
     }
   ],
   "database_specific": {

advisories/unreviewed/2025/12/GHSA-2689-g4r3-gxrx/GHSA-2689-g4r3-gxrx.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2689-g4r3-gxrx",
-  "modified": "2025-12-23T12:30:18Z",
+  "modified": "2025-12-23T15:30:39Z",
   "published": "2025-12-23T12:30:18Z",
   "aliases": [
     "CVE-2023-52210"
@@ -25,7 +25,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-287"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2025/12/GHSA-2f36-x8xr-4642/GHSA-2f36-x8xr-4642.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2f36-x8xr-4642",
+  "modified": "2025-12-23T15:30:40Z",
+  "published": "2025-12-23T15:30:40Z",
+  "aliases": [
+    "CVE-2025-68342"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data\n\nThe URB received in gs_usb_receive_bulk_callback() contains a struct\ngs_host_frame. The length of the data after the header depends on the\ngs_host_frame hf::flags and the active device features (e.g. time\nstamping).\n\nIntroduce a new function gs_usb_get_minimum_length() and check that we have\nat least received the required amount of data before accessing it. Only\ncopy the data to that skb that has actually been received.\n\n[mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()]",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68342"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/395d988f93861101ec89d0dd9e3b876ae9392a5b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/4ffac725154cf6a253f5e6aa0c8946232b6a0af5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/fb0c7c77a7ae3a2c3404b7d0173b8739a754b513"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-23T14:16:40Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-47rc-xxqp-2645/GHSA-47rc-xxqp-2645.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-47rc-xxqp-2645",
-  "modified": "2025-12-10T18:30:25Z",
+  "modified": "2025-12-23T15:30:29Z",
   "published": "2025-12-10T18:30:25Z",
   "aliases": [
     "CVE-2025-34419"
   ],
   "details": "MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAISM.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAISM.DLL, which is then loaded when the executable starts, resulting in execution of attacker-controlled code with the privileges of the process.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/12/GHSA-4mf7-7hx2-42fv/GHSA-4mf7-7hx2-42fv.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4mf7-7hx2-42fv",
+  "modified": "2025-12-23T15:30:40Z",
+  "published": "2025-12-23T15:30:40Z",
+  "aliases": [
+    "CVE-2025-68338"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: microchip: Don't free uninitialized ksz_irq\n\nIf something goes wrong at setup, ksz_irq_free() can be called on\nuninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It\nleads to freeing uninitialized IRQ numbers and/or domains.\n\nUse dsa_switch_for_each_user_port_continue_reverse() in the error path\nto iterate only over the fully initialized ports.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68338"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/25b62cc5b22c45face094ae3e8717258e46d1d19"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/9428654c827fa8d38b898135d26d39ee2d544246"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-23T14:16:40Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-4p2q-qc9w-jq74/GHSA-4p2q-qc9w-jq74.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4p2q-qc9w-jq74",
+  "modified": "2025-12-23T15:30:40Z",
+  "published": "2025-12-23T15:30:40Z",
+  "aliases": [
+    "CVE-2025-66845"
+  ],
+  "details": "A reflected Cross-Site Scripting (XSS) vulnerability has been identified in TechStore version 1.0. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim’s browser.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66845"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/MuratSevri/d78efed86ca5f82e8a6683ace5061319"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-23T14:16:40Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-5623-7pmr-m98j/GHSA-5623-7pmr-m98j.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5623-7pmr-m98j",
+  "modified": "2025-12-23T15:30:39Z",
+  "published": "2025-12-23T15:30:39Z",
+  "aliases": [
+    "CVE-2023-5092"
+  ],
+  "details": "Rejected reason: This CVE id was assigned to an issue which was later deemed not security relevant.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5092"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-23T14:16:39Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-57g8-267x-ffc8/GHSA-57g8-267x-ffc8.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-57g8-267x-ffc8",
-  "modified": "2025-12-10T18:30:25Z",
+  "modified": "2025-12-23T15:30:29Z",
   "published": "2025-12-10T18:30:25Z",
   "aliases": [
     "CVE-2025-34394"
   ],
   "details": "Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/12/GHSA-68w5-72rc-pgrc/GHSA-68w5-72rc-pgrc.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-68w5-72rc-pgrc",
+  "modified": "2025-12-23T15:30:40Z",
+  "published": "2025-12-23T15:30:40Z",
+  "aliases": [
+    "CVE-2025-68341"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: reduce XDP no_direct return section to fix race\n\nAs explain in commit fa349e396e48 (\"veth: Fix race with AF_XDP exposing\nold or uninitialized descriptors\") for veth there is a chance after\nnapi_complete_done() that another CPU can manage start another NAPI\ninstance running veth_pool(). For NAPI this is correctly handled as the\nnapi_schedule_prep() check will prevent multiple instances from getting\nscheduled, but for the remaining code in veth_pool() this can run\nconcurrent with the newly started NAPI instance.\n\nThe problem/race is that xdp_clear_return_frame_no_direct() isn't\ndesigned to be nested.\n\nPrior to commit 401cb7dae813 (\"net: Reference bpf_redirect_info via\ntask_struct on PREEMPT_RT.\") the temporary BPF net context\nbpf_redirect_info was stored per CPU, where this wasn't an issue. Since\nthis commit the BPF context is stored in 'current' task_struct. When\nrunning veth in threaded-NAPI mode, then the kthread becomes the storage\narea. Now a race exists between two concurrent veth_pool() function calls\none exiting NAPI and one running new NAPI, both using the same BPF net\ncontext.\n\nRace is when another CPU gets within the xdp_set_return_frame_no_direct()\nsection before exiting veth_pool() calls the clear-function\nxdp_clear_return_frame_no_direct().",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68341"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/a14602fcae17a3f1cb8a8521bedf31728f9e7e39"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/c1ceabcb347d1b0f7e70a7384ec7eff3847b7628"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/d0bd018ad72a8a598ae709588934135017f8af52"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-23T14:16:40Z"
+  }
+}