Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit a87d03096488 · 2025-11-25T00:33:08.000Z
GHSA-3q8m-2mjw-v5cg GHSA-g3qw-5m3w-vr84 GHSA-g6mh-6454-qm24 GHSA-gx78-xfgv-xgx7 GHSA-hxvg-xxq8-4wc2 GHSA-pgjh-rx3f-6555 GHSA-wg65-qr54-32p9
diff --git a/advisories/unreviewed/2025/11/GHSA-3q8m-2mjw-v5cg/GHSA-3q8m-2mjw-v5cg.json b/advisories/unreviewed/2025/11/GHSA-3q8m-2mjw-v5cg/GHSA-3q8m-2mjw-v5cg.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3q8m-2mjw-v5cg",
+  "modified": "2025-11-25T00:31:41Z",
+  "published": "2025-11-25T00:31:41Z",
+  "aliases": [
+    "CVE-2025-54347"
+  ],
+  "details": "A Directory Traversal vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to write arbitrary files under certain conditions.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54347"
+    },
+    {
+      "type": "WEB",
+      "url": "https://desktopalert.net/cve-2025-54347"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-24T22:15:49Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-g3qw-5m3w-vr84/GHSA-g3qw-5m3w-vr84.json b/advisories/unreviewed/2025/11/GHSA-g3qw-5m3w-vr84/GHSA-g3qw-5m3w-vr84.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g3qw-5m3w-vr84",
+  "modified": "2025-11-25T00:31:41Z",
+  "published": "2025-11-25T00:31:41Z",
+  "aliases": [
+    "CVE-2025-54563"
+  ],
+  "details": "An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54563"
+    },
+    {
+      "type": "WEB",
+      "url": "https://desktopalert.net/cve-2025-54563"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-24T22:15:49Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-g6mh-6454-qm24/GHSA-g6mh-6454-qm24.json b/advisories/unreviewed/2025/11/GHSA-g6mh-6454-qm24/GHSA-g6mh-6454-qm24.json
@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g6mh-6454-qm24",
+  "modified": "2025-11-25T00:31:41Z",
+  "published": "2025-11-25T00:31:41Z",
+  "aliases": [
+    "CVE-2024-47856"
+  ],
+  "details": "In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a higher-level directory of the path, and Windows will resolve that executable instead of the intended executable.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47856"
+    },
+    {
+      "type": "WEB",
+      "url": "https://community.rsa.com/s/article/RSA-2024-13-RSA-Authentication-Agent-for-Microsoft-Windows-Security-Update"
+    },
+    {
+      "type": "WEB",
+      "url": "https://community.rsa.com/s/product-download/a9G4u000000mCOYEAU/rsa-authentication-agent-747-for-microsoft-windows"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-24T22:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-gx78-xfgv-xgx7/GHSA-gx78-xfgv-xgx7.json b/advisories/unreviewed/2025/11/GHSA-gx78-xfgv-xgx7/GHSA-gx78-xfgv-xgx7.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gx78-xfgv-xgx7",
+  "modified": "2025-11-25T00:31:41Z",
+  "published": "2025-11-25T00:31:41Z",
+  "aliases": [
+    "CVE-2025-54338"
+  ],
+  "details": "An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54338"
+    },
+    {
+      "type": "WEB",
+      "url": "https://desktopalert.net/cve-2025-54338"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-24T22:15:48Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-hxvg-xxq8-4wc2/GHSA-hxvg-xxq8-4wc2.json b/advisories/unreviewed/2025/11/GHSA-hxvg-xxq8-4wc2/GHSA-hxvg-xxq8-4wc2.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hxvg-xxq8-4wc2",
+  "modified": "2025-11-25T00:31:41Z",
+  "published": "2025-11-25T00:31:41Z",
+  "aliases": [
+    "CVE-2025-10144"
+  ],
+  "details": "The Perfect Brands for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the `brands` attribute of the `products` shortcode in all versions up to, and including, 3.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10144"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/perfect-woocommerce-brands/tags/3.6.0/lib/class-woocommerce.php#L112"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4618bfd-77d9-4396-b041-d7ba0f6ec75a?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-24T23:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-pgjh-rx3f-6555/GHSA-pgjh-rx3f-6555.json b/advisories/unreviewed/2025/11/GHSA-pgjh-rx3f-6555/GHSA-pgjh-rx3f-6555.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pgjh-rx3f-6555",
+  "modified": "2025-11-25T00:31:41Z",
+  "published": "2025-11-25T00:31:41Z",
+  "aliases": [
+    "CVE-2025-63674"
+  ],
+  "details": "An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allows local physical attackers to execute arbitrary code via overriding the bootloader on the SD card.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63674"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vindivlabs.com/research/lumi_part_2"
+    },
+    {
+      "type": "WEB",
+      "url": "http://a31c.com"
+    },
+    {
+      "type": "WEB",
+      "url": "http://blurams.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-24T22:15:49Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-wg65-qr54-32p9/GHSA-wg65-qr54-32p9.json b/advisories/unreviewed/2025/11/GHSA-wg65-qr54-32p9/GHSA-wg65-qr54-32p9.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wg65-qr54-32p9",
+  "modified": "2025-11-25T00:31:41Z",
+  "published": "2025-11-25T00:31:41Z",
+  "aliases": [
+    "CVE-2025-54341"
+  ],
+  "details": "A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54341"
+    },
+    {
+      "type": "WEB",
+      "url": "https://desktopalert.net/cve-2025-54341"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-798"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-24T22:15:49Z"
+  }
+}
