Publish Advisories

GHSA-m7gw-975p-jwfj
GHSA-9x68-7qq6-v523
GHSA-34hw-4cqq-qh3w
GHSA-8376-84xq-6jjp
GHSA-c4h7-r924-5jg8
GHSA-fvh3-hc2j-x6cc
GHSA-ghjx-924r-mqm7
GHSA-r767-8x6q-rpfx
GHSA-w47f-xmcq-j6m3
GHSA-wcjp-gpp5-94xv

Author: advisory-database[bot]

advisories/unreviewed/2024/06/GHSA-m7gw-975p-jwfj/GHSA-m7gw-975p-jwfj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m7gw-975p-jwfj",
-  "modified": "2024-06-27T12:30:47Z",
+  "modified": "2025-12-17T03:30:13Z",
   "published": "2024-06-03T09:30:48Z",
   "aliases": [
     "CVE-2024-36964"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: only translate RWX permissions for plain 9P2000\n\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -53,7 +58,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-06-03T08:15:09Z"

advisories/unreviewed/2025/01/GHSA-9x68-7qq6-v523/GHSA-9x68-7qq6-v523.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9x68-7qq6-v523",
-  "modified": "2025-12-16T12:30:27Z",
+  "modified": "2025-12-17T03:30:13Z",
   "published": "2025-01-14T18:32:00Z",
   "aliases": [
     "CVE-2024-12087"
@@ -31,6 +31,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:23235"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23407"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23416"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:2600"

advisories/unreviewed/2025/12/GHSA-34hw-4cqq-qh3w/GHSA-34hw-4cqq-qh3w.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-34hw-4cqq-qh3w",
+  "modified": "2025-12-17T03:30:13Z",
+  "published": "2025-12-17T03:30:13Z",
+  "aliases": [
+    "CVE-2025-14700"
+  ],
+  "details": "An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14700"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/646"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1336"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-17T01:15:59Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-8376-84xq-6jjp/GHSA-8376-84xq-6jjp.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8376-84xq-6jjp",
+  "modified": "2025-12-17T03:30:13Z",
+  "published": "2025-12-17T03:30:13Z",
+  "aliases": [
+    "CVE-2025-14701"
+  ],
+  "details": "An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14701"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/647"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-17T01:15:59Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-c4h7-r924-5jg8/GHSA-c4h7-r924-5jg8.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c4h7-r924-5jg8",
+  "modified": "2025-12-17T03:30:13Z",
+  "published": "2025-12-17T03:30:13Z",
+  "aliases": [
+    "CVE-2025-11369"
+  ],
+  "details": "The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11369"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/GoogleMap.php#L50"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/Instagram.php#L20"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/OpenVerse.php#L108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e5b1e90-53f7-4afc-9544-c36afe1ee813?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-17T02:16:00Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-fvh3-hc2j-x6cc/GHSA-fvh3-hc2j-x6cc.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fvh3-hc2j-x6cc",
+  "modified": "2025-12-17T03:30:14Z",
+  "published": "2025-12-17T03:30:13Z",
+  "aliases": [
+    "CVE-2025-14801"
+  ],
+  "details": "A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14801"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/TMS_v2.28.0_XSS-1.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.336939"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.336939"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.708322"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-17T02:16:00Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-ghjx-924r-mqm7/GHSA-ghjx-924r-mqm7.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ghjx-924r-mqm7",
+  "modified": "2025-12-17T03:30:13Z",
+  "published": "2025-12-17T03:30:13Z",
+  "aliases": [
+    "CVE-2025-53524"
+  ],
+  "details": "Fuji Electric Monitouch V-SFT-6 is vulnerable to an out-of-bounds write \nwhile processing a specially crafted project file, which may allow an \nattacker to execute arbitrary code.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53524"
+    },
+    {
+      "type": "WEB",
+      "url": "https://felib.fujielectric.co.jp/en/document_search?tab=software&document1%5B1%5D=M10009&document2%5B1%5D=M20104&product1%5B1%5D=P10003&product2%5B1%5D=P20023&product3%5B1%5D=P30623&product4%5B1%5D=S11133&discontinued%5B1%5D=0&count=20&sort=en_title&page=1&region=en-glb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-01.json"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-01"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-17T01:15:59Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-r767-8x6q-rpfx/GHSA-r767-8x6q-rpfx.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r767-8x6q-rpfx",
+  "modified": "2025-12-17T03:30:13Z",
+  "published": "2025-12-17T03:30:13Z",
+  "aliases": [
+    "CVE-2025-14302"
+  ],
+  "details": "Certain motherboard models developed by GIGABYTE has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14302"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.gigabyte.com/Support/Security?type=1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10575-e4f41-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10574-ddf09-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-17T03:15:57Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-w47f-xmcq-j6m3/GHSA-w47f-xmcq-j6m3.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w47f-xmcq-j6m3",
+  "modified": "2025-12-17T03:30:13Z",
+  "published": "2025-12-17T03:30:13Z",
+  "aliases": [
+    "CVE-2025-14303"
+  ],
+  "details": "Certain motherboard models developed by MSI has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14303"
+    },
+    {
+      "type": "WEB",
+      "url": "https://csr.msi.com/global/product-security-advisories"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10577-3cd58-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10576-0a0fd-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-17T03:15:57Z"
+  }
+}