Publish Advisories

GHSA-3x8r-x6xp-q4vm
GHSA-5x79-w82f-gw8w
GHSA-9h9g-93gc-623h
GHSA-mcvf-2q2m-x72m
GHSA-rrfc-7g8p-99q8
GHSA-w9mr-4mfr-499f
GHSA-hfrx-6qgj-fp6c
GHSA-w7pp-m8wf-vj6r
GHSA-7j98-h7fp-4vwj
GHSA-rrm6-wvj7-cwh2

Author: advisory-database[bot]

advisories/github-reviewed/2022/12/GHSA-3x8r-x6xp-q4vm/GHSA-3x8r-x6xp-q4vm.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3x8r-x6xp-q4vm",
-  "modified": "2022-12-13T17:40:50Z",
+  "modified": "2025-11-04T16:41:06Z",
   "published": "2022-12-13T17:40:50Z",
   "aliases": [
     "CVE-2022-23516"
   ],
   "summary": "Uncontrolled Recursion in Loofah",
-  "details": "## Summary\n\nLoofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception.  This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to Loofah `>= 2.19.1`.\n\nUsers who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.\n\n\n## Severity\n\nThe Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)\n",
+  "details": "## Summary\n\nLoofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception.  This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to Loofah `>= 2.19.1`.\n\nUsers who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.\n\n\n## Severity\n\nThe Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -59,6 +59,10 @@
     {
       "type": "WEB",
       "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2022/12/GHSA-5x79-w82f-gw8w/GHSA-5x79-w82f-gw8w.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5x79-w82f-gw8w",
-  "modified": "2022-12-13T17:43:02Z",
+  "modified": "2025-11-04T16:41:23Z",
   "published": "2022-12-13T17:43:02Z",
   "aliases": [
     "CVE-2022-23517"
   ],
   "summary": "Inefficient Regular Expression Complexity in rails-html-sanitizer",
-  "details": "## Summary\n\nCertain configurations of rails-html-sanitizer `< 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)\n- https://hackerone.com/reports/1684163\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).\n",
+  "details": "## Summary\n\nCertain configurations of rails-html-sanitizer `< 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)\n- https://hackerone.com/reports/1684163\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -63,6 +63,10 @@
     {
       "type": "WEB",
       "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2022/12/GHSA-9h9g-93gc-623h/GHSA-9h9g-93gc-623h.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9h9g-93gc-623h",
-  "modified": "2025-02-13T18:33:18Z",
+  "modified": "2025-11-04T16:41:59Z",
   "published": "2022-12-13T17:50:25Z",
   "aliases": [
     "CVE-2022-23519"
@@ -59,6 +59,10 @@
     {
       "type": "WEB",
       "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2022/12/GHSA-mcvf-2q2m-x72m/GHSA-mcvf-2q2m-x72m.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mcvf-2q2m-x72m",
-  "modified": "2023-09-14T16:22:23Z",
+  "modified": "2025-11-04T16:41:46Z",
   "published": "2022-12-13T17:45:39Z",
   "aliases": [
     "CVE-2022-23518"
   ],
   "summary": "Improper neutralization of data URIs may allow XSS in rails-html-sanitizer",
-  "details": "## Summary\n\nrails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)\n- https://github.com/rails/rails-html-sanitizer/issues/135\n- https://hackerone.com/reports/1694173\n\n\n## Credit\n\nThis vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).\n",
+  "details": "## Summary\n\nrails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)\n- https://github.com/rails/rails-html-sanitizer/issues/135\n- https://hackerone.com/reports/1694173\n\n\n## Credit\n\nThis vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -67,6 +67,10 @@
     {
       "type": "WEB",
       "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2022/12/GHSA-rrfc-7g8p-99q8/GHSA-rrfc-7g8p-99q8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rrfc-7g8p-99q8",
-  "modified": "2025-02-13T18:33:21Z",
+  "modified": "2025-11-04T16:42:27Z",
   "published": "2022-12-13T17:51:40Z",
   "aliases": [
     "CVE-2022-23520"
@@ -59,6 +59,10 @@
     {
       "type": "WEB",
       "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2023/01/GHSA-w9mr-4mfr-499f/GHSA-w9mr-4mfr-499f.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w9mr-4mfr-499f",
-  "modified": "2023-01-11T23:00:55Z",
+  "modified": "2025-11-04T16:42:14Z",
   "published": "2023-01-05T12:30:27Z",
   "aliases": [
     "CVE-2017-20162"
@@ -56,6 +56,10 @@
       "type": "WEB",
       "url": "https://github.com/vercel/ms/releases/tag/2.0.0"
     },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20241108-0002"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/?ctiid.217451"

advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hfrx-6qgj-fp6c",
-  "modified": "2025-11-03T22:29:46Z",
+  "modified": "2025-11-04T16:42:59Z",
   "published": "2023-02-20T18:30:17Z",
   "aliases": [
     "CVE-2023-24998"
@@ -232,6 +232,10 @@
       "type": "WEB",
       "url": "https://tomcat.apache.org/security-10.html"
     },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20241108-0002"
+    },
     {
       "type": "WEB",
       "url": "https://security.netapp.com/advisory/ntap-20230302-0013"

advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w7pp-m8wf-vj6r",
-  "modified": "2024-09-13T20:07:50Z",
+  "modified": "2025-11-04T16:43:33Z",
   "published": "2023-02-07T20:54:10Z",
   "aliases": [
     "CVE-2023-23931"
@@ -63,6 +63,14 @@
     {
       "type": "WEB",
       "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.netapp.com/advisory/ntap-20230324-0007"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2023/03/GHSA-7j98-h7fp-4vwj/GHSA-7j98-h7fp-4vwj.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7j98-h7fp-4vwj",
-  "modified": "2023-03-29T18:31:35Z",
+  "modified": "2025-11-04T16:42:43Z",
   "published": "2023-03-29T18:31:35Z",
   "aliases": [
     "CVE-2023-28447"
   ],
   "summary": "smarty Cross-site Scripting vulnerability in Javascript escaping ",
-  "details": "### Impact\nAn attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user.\n\n### Patches\nPlease upgrade to the most recent version of Smarty v3 or v4.\n\n### For more information\nIf you have any questions or comments about this advisory please open an issue in [the Smarty repo](https://github.com/smarty-php/smarty)\n",
+  "details": "### Impact\nAn attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user.\n\n### Patches\nPlease upgrade to the most recent version of Smarty v3 or v4.\n\n### For more information\nIf you have any questions or comments about this advisory please open an issue in [the Smarty repo](https://github.com/smarty-php/smarty)",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -75,6 +75,10 @@
       "type": "PACKAGE",
       "url": "https://github.com/smarty-php/smarty"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00013.html"
+    },
     {
       "type": "WEB",
       "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ"

advisories/github-reviewed/2023/04/GHSA-rrm6-wvj7-cwh2/GHSA-rrm6-wvj7-cwh2.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rrm6-wvj7-cwh2",
-  "modified": "2025-02-13T18:54:23Z",
+  "modified": "2025-11-04T16:43:46Z",
   "published": "2023-04-21T20:24:21Z",
   "aliases": [
     "CVE-2023-30608"
@@ -68,6 +68,10 @@
       "type": "WEB",
       "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00022.html"
+    },
     {
       "type": "WEB",
       "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"