Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b2f5f02028f2 · 2025-12-16T12:31:58.000Z
GHSA-9x68-7qq6-v523 GHSA-jx2m-wgq5-5qcj GHSA-fpq4-r87v-g246 GHSA-2q98-7m46-rq23 GHSA-8vh6-v9pf-9wpq GHSA-cc8c-28gj-px38 GHSA-hvcw-x8r7-vqvw GHSA-j2v6-pm7r-ggcf GHSA-mrcm-cqrc-38qw
diff --git a/advisories/unreviewed/2025/01/GHSA-9x68-7qq6-v523/GHSA-9x68-7qq6-v523.json b/advisories/unreviewed/2025/01/GHSA-9x68-7qq6-v523/GHSA-9x68-7qq6-v523.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9x68-7qq6-v523",
-  "modified": "2025-12-15T09:31:28Z",
+  "modified": "2025-12-16T12:30:27Z",
   "published": "2025-01-14T18:32:00Z",
   "aliases": [
     "CVE-2024-12087"
@@ -27,6 +27,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:23154"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23235"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:2600"
diff --git a/advisories/unreviewed/2025/05/GHSA-jx2m-wgq5-5qcj/GHSA-jx2m-wgq5-5qcj.json b/advisories/unreviewed/2025/05/GHSA-jx2m-wgq5-5qcj/GHSA-jx2m-wgq5-5qcj.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jx2m-wgq5-5qcj",
-  "modified": "2025-12-16T03:31:16Z",
+  "modified": "2025-12-16T12:30:27Z",
   "published": "2025-05-30T15:30:31Z",
   "aliases": [
     "CVE-2025-4598"
@@ -27,6 +27,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:22868"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23227"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:23234"
diff --git a/advisories/unreviewed/2025/10/GHSA-fpq4-r87v-g246/GHSA-fpq4-r87v-g246.json b/advisories/unreviewed/2025/10/GHSA-fpq4-r87v-g246/GHSA-fpq4-r87v-g246.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fpq4-r87v-g246",
-  "modified": "2025-10-24T15:31:23Z",
+  "modified": "2025-12-16T12:30:27Z",
   "published": "2025-10-17T21:31:17Z",
   "aliases": [
     "CVE-2025-34281"
@@ -27,6 +27,14 @@
       "type": "WEB",
       "url": "https://github.com/thingsboard/thingsboard/pull/13927"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03"
+    },
+    {
+      "type": "WEB",
+      "url": "https://advisory.checkmarx.net/advisory/CVE-2025-3261"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1"
diff --git a/advisories/unreviewed/2025/12/GHSA-2q98-7m46-rq23/GHSA-2q98-7m46-rq23.json b/advisories/unreviewed/2025/12/GHSA-2q98-7m46-rq23/GHSA-2q98-7m46-rq23.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2q98-7m46-rq23",
+  "modified": "2025-12-16T12:30:28Z",
+  "published": "2025-12-16T12:30:28Z",
+  "aliases": [
+    "CVE-2025-11220"
+  ],
+  "details": "The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3  due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11220"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3414494/elementor"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a73c078-ce66-4131-8bd7-6fd48fc9fa84?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-16T12:15:45Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-8vh6-v9pf-9wpq/GHSA-8vh6-v9pf-9wpq.json b/advisories/unreviewed/2025/12/GHSA-8vh6-v9pf-9wpq/GHSA-8vh6-v9pf-9wpq.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8vh6-v9pf-9wpq",
+  "modified": "2025-12-16T12:30:28Z",
+  "published": "2025-12-16T12:30:28Z",
+  "aliases": [
+    "CVE-2025-14002"
+  ],
+  "details": "The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14002"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/class-sesstion.php#L29"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/member-functions.php#L833"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3411048/wpcom-member"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f02ee56-40bd-4132-92e1-e2897ff2a4c4?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-16T10:15:42Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-cc8c-28gj-px38/GHSA-cc8c-28gj-px38.json b/advisories/unreviewed/2025/12/GHSA-cc8c-28gj-px38/GHSA-cc8c-28gj-px38.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cc8c-28gj-px38",
-  "modified": "2025-12-15T18:30:40Z",
+  "modified": "2025-12-16T12:30:28Z",
   "published": "2025-12-15T18:30:40Z",
   "aliases": [
     "CVE-2025-11393"
@@ -19,6 +19,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11393"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23236"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-11393"
diff --git a/advisories/unreviewed/2025/12/GHSA-hvcw-x8r7-vqvw/GHSA-hvcw-x8r7-vqvw.json b/advisories/unreviewed/2025/12/GHSA-hvcw-x8r7-vqvw/GHSA-hvcw-x8r7-vqvw.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hvcw-x8r7-vqvw",
+  "modified": "2025-12-16T12:30:28Z",
+  "published": "2025-12-16T12:30:28Z",
+  "aliases": [
+    "CVE-2025-13741"
+  ],
+  "details": "The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve emails for all users with edit_posts capability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13741"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.1/src/Modules/Workflows/Rest/RestApiV1.php#L376"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f67da8c-da60-4c77-a8b8-7dfc027662e9?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-16T12:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-j2v6-pm7r-ggcf/GHSA-j2v6-pm7r-ggcf.json b/advisories/unreviewed/2025/12/GHSA-j2v6-pm7r-ggcf/GHSA-j2v6-pm7r-ggcf.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j2v6-pm7r-ggcf",
+  "modified": "2025-12-16T12:30:28Z",
+  "published": "2025-12-16T12:30:28Z",
+  "aliases": [
+    "CVE-2025-13474"
+  ],
+  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.This issue affects Mobile App: before 9.5.8.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13474"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.usom.gov.tr/bildirim/tr-25-0457"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-16T12:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-mrcm-cqrc-38qw/GHSA-mrcm-cqrc-38qw.json b/advisories/unreviewed/2025/12/GHSA-mrcm-cqrc-38qw/GHSA-mrcm-cqrc-38qw.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mrcm-cqrc-38qw",
+  "modified": "2025-12-16T12:30:28Z",
+  "published": "2025-12-16T12:30:28Z",
+  "aliases": [
+    "CVE-2025-0836"
+  ],
+  "details": "Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0836"
+    },
+    {
+      "type": "WEB",
+      "url": "https://doc.milestonesys.com/en-US/bundle/sec1504_latest/page/Milestone_Security_Advisory.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://supportcommunity.milestonesys.com/s/article/XProtect-VMS-cumulative-patches-complete-list?language=en_US"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-16T11:15:43Z"
+  }
+}
