Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 93504346cc56 · 2025-09-10T20:49:24.000Z
GHSA-9v82-vcjx-m76j GHSA-fghv-69vj-qj49 GHSA-v2p7-4pv4-3wwh
diff --git a/advisories/github-reviewed/2025/09/GHSA-9v82-vcjx-m76j/GHSA-9v82-vcjx-m76j.json b/advisories/github-reviewed/2025/09/GHSA-9v82-vcjx-m76j/GHSA-9v82-vcjx-m76j.json
@@ -0,0 +1,82 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9v82-vcjx-m76j",
+  "modified": "2025-09-10T20:46:20Z",
+  "published": "2025-09-10T20:46:20Z",
+  "aliases": [],
+  "summary": "Shopware: Reflective Cross Site-Scripting (XSS) in CMS components",
+  "details": "### Impact\nBy exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. \n\nSome examples of this include, but are not limited to:\n- Obtaining user session tokens.\n- Performing administrative actions (when an administrative user is affected).\n\nThese vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens.\n\n#### Description\nWhen an application uses input fields, it is important that user input is adequately filtered for malicious HTML and JavaScript characters. When adequate input validation is not applied, Cross-Site Scripting (XSS) vulnerabilities may arise. These allow malicious actors to inject malicious code into application pages. When a user visits the page, the code is executed in the user's web browser. This allows malicious actors to perform malicious actions in the name of that user. XSS can be divided into three variants: Persistent XSS, Reflective XSS and DOM-based XSS. In Reflective XSS, a malicious actor injects malicious JavaScript code into a URL. Every time the user visits this URL, the JavaScript code is executed in the user’s browser.\n\n#### Applicability \nDue to a lack of input validation, the Shopware application contain XSS vulnerabilities. The JavaScript variable 'activeRouteParameters' lacks input validation, which makes it vulnerable to XSS attacks at the following endpoints:\n\n- /page/cms/*\n- /widget/cms/*\n\nThe lack of input validation enables malicious actors to inject harmful JavaScript-code into the affected pages. When a user visits the page, the code is executed within the user’s web browser. This enables malicious actors to perform (harmful) actions on behalf of the affected user. No user account is required to exploit this vulnerability.\n\n#### Reproduction\nTo reproduce this vulnerability, the steps below can be followed.\n1. Navigate to the URL below containing the XSS payload:\nhttps://pentest-saas-2025-2.shopware.store/page/cms/'+alert('REQON')+'\n2. Observe that a pop-up is shown indicating that the JavaScript code has been executed.\n\n#### Workarounds\nFor older versions of 6.7, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/shopware"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.7.0.0"
+            },
+            {
+              "fixed": "6.7.2.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.7.0.0"
+            },
+            {
+              "fixed": "6.7.2.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-9v82-vcjx-m76j"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/commit/12fb537c5ebe009f2a0f58b9c24dbd2d6b4c508f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/shopware/shopware"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/releases/tag/v6.7.2.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-10T20:46:20Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/09/GHSA-fghv-69vj-qj49/GHSA-fghv-69vj-qj49.json b/advisories/github-reviewed/2025/09/GHSA-fghv-69vj-qj49/GHSA-fghv-69vj-qj49.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fghv-69vj-qj49",
-  "modified": "2025-09-05T18:23:55Z",
+  "modified": "2025-09-10T20:48:05Z",
   "published": "2025-09-04T17:35:20Z",
   "aliases": [
     "CVE-2025-58056"
@@ -54,6 +54,10 @@
       "type": "WEB",
       "url": "https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/JLLeitschuh/unCVEed/issues/1"
@@ -74,6 +78,10 @@
       "type": "WEB",
       "url": "https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284"
     },
+    {
+      "type": "WEB",
+      "url": "https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/netty/netty"
@@ -90,6 +98,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2025-09-04T17:35:20Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-09-03T21:15:33Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/09/GHSA-v2p7-4pv4-3wwh/GHSA-v2p7-4pv4-3wwh.json b/advisories/github-reviewed/2025/09/GHSA-v2p7-4pv4-3wwh/GHSA-v2p7-4pv4-3wwh.json
@@ -0,0 +1,96 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v2p7-4pv4-3wwh",
+  "modified": "2025-09-10T20:47:07Z",
+  "published": "2025-09-10T20:47:07Z",
+  "aliases": [
+    "CVE-2025-59036"
+  ],
+  "summary": "Infrahub: Deleted and expired API tokens can still authenticate",
+  "details": "### Impact\nA bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.\n\n### Patches\nThis issue is fixed in versions `1.3.9` and `1.4.5`\n\n### Workarounds\nUsers can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "infrahub-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.9"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "infrahub-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.4.0"
+            },
+            {
+              "fixed": "1.4.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59036"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opsmill/infrahub/commit/215185f217e2f754f7c0a0aa4b77e11079a063a1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opsmill/infrahub/commit/61b49a4a9e988f10c3a44f0e86ef97f344a1e228"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/opsmill/infrahub"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.3.9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.4.5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-298"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-10T20:47:07Z",
+    "nvd_published_at": "2025-09-09T22:15:34Z"
+  }
+}
