Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit cc51cc7a4cfc · 2025-12-02T12:32:47.000Z
GHSA-39hf-cw8g-g4qj GHSA-58w6-w55x-6wq8 GHSA-697w-w949-fhm4 GHSA-8hh6-8639-p8vq GHSA-96fr-rv8q-2885 GHSA-qx6m-hh7f-72hf GHSA-v2x4-9r4m-m784 GHSA-wm7v-q4q9-gqfh GHSA-wr88-5946-rq47
diff --git a/advisories/unreviewed/2025/12/GHSA-39hf-cw8g-g4qj/GHSA-39hf-cw8g-g4qj.json b/advisories/unreviewed/2025/12/GHSA-39hf-cw8g-g4qj/GHSA-39hf-cw8g-g4qj.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-39hf-cw8g-g4qj",
+  "modified": "2025-12-02T12:30:28Z",
+  "published": "2025-12-02T12:30:28Z",
+  "aliases": [
+    "CVE-2025-13090"
+  ],
+  "details": "The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13090"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3405484%40wpdirectorykit&new=3405484%40wpdirectorykit&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0fbf502-2dfb-49e5-94a6-1525aabc08c1?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-02T12:16:18Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-58w6-w55x-6wq8/GHSA-58w6-w55x-6wq8.json b/advisories/unreviewed/2025/12/GHSA-58w6-w55x-6wq8/GHSA-58w6-w55x-6wq8.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-58w6-w55x-6wq8",
+  "modified": "2025-12-02T12:30:28Z",
+  "published": "2025-12-02T12:30:28Z",
+  "aliases": [
+    "CVE-2025-13870"
+  ],
+  "details": "Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13870"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-02T10:16:01Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-697w-w949-fhm4/GHSA-697w-w949-fhm4.json b/advisories/unreviewed/2025/12/GHSA-697w-w949-fhm4/GHSA-697w-w949-fhm4.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-697w-w949-fhm4",
+  "modified": "2025-12-02T12:30:28Z",
+  "published": "2025-12-02T12:30:28Z",
+  "aliases": [
+    "CVE-2025-41744"
+  ],
+  "details": "Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41744"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1394"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-02T11:15:51Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-8hh6-8639-p8vq/GHSA-8hh6-8639-p8vq.json b/advisories/unreviewed/2025/12/GHSA-8hh6-8639-p8vq/GHSA-8hh6-8639-p8vq.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8hh6-8639-p8vq",
+  "modified": "2025-12-02T12:30:28Z",
+  "published": "2025-12-02T12:30:28Z",
+  "aliases": [
+    "CVE-2025-13872"
+  ],
+  "details": "Blind Server-Side Request Forgery (SSRF) in the survey-import feature of \n\n ObjectPlanet Opinio 7.26 rev12562 on \n\nWeb-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests \n\n to an arbitrary destination.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13872"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.objectplanet.com/opinio/changelog.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-02T10:16:01Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-96fr-rv8q-2885/GHSA-96fr-rv8q-2885.json b/advisories/unreviewed/2025/12/GHSA-96fr-rv8q-2885/GHSA-96fr-rv8q-2885.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-96fr-rv8q-2885",
-  "modified": "2025-12-01T15:30:18Z",
+  "modified": "2025-12-02T12:30:27Z",
   "published": "2025-12-01T15:30:18Z",
   "aliases": [
     "CVE-2025-13129"
diff --git a/advisories/unreviewed/2025/12/GHSA-qx6m-hh7f-72hf/GHSA-qx6m-hh7f-72hf.json b/advisories/unreviewed/2025/12/GHSA-qx6m-hh7f-72hf/GHSA-qx6m-hh7f-72hf.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qx6m-hh7f-72hf",
+  "modified": "2025-12-02T12:30:28Z",
+  "published": "2025-12-02T12:30:28Z",
+  "aliases": [
+    "CVE-2025-41742"
+  ],
+  "details": "Sprecher Automations SPRECON-E-C,  SPRECON-E-P, SPRECON-E-T3 is vulnerable to attack by an unauthorized remote attacker via default cryptographic keys. The use of these keys allows the attacker to read, modify, and write projects and data, or to access any device via remote maintenance.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41742"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1394"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-02T11:15:51Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-v2x4-9r4m-m784/GHSA-v2x4-9r4m-m784.json b/advisories/unreviewed/2025/12/GHSA-v2x4-9r4m-m784/GHSA-v2x4-9r4m-m784.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v2x4-9r4m-m784",
+  "modified": "2025-12-02T12:30:28Z",
+  "published": "2025-12-02T12:30:28Z",
+  "aliases": [
+    "CVE-2025-41743"
+  ],
+  "details": "Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited information about the architecture and internal processes.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41743"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-326"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-02T11:15:51Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-wm7v-q4q9-gqfh/GHSA-wm7v-q4q9-gqfh.json b/advisories/unreviewed/2025/12/GHSA-wm7v-q4q9-gqfh/GHSA-wm7v-q4q9-gqfh.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wm7v-q4q9-gqfh",
+  "modified": "2025-12-02T12:30:28Z",
+  "published": "2025-12-02T12:30:28Z",
+  "aliases": [
+    "CVE-2025-13871"
+  ],
+  "details": "Cross-Site Request Forgery (CSRF) in the resource-management feature of \n\nObjectPlanet Opinio 7.26 rev12562\n\n allows to upload \nfiles on behalf of the connected users and then access such files without authentication.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13871"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.objectplanet.com/opinio/changelog.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-02T10:16:01Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-wr88-5946-rq47/GHSA-wr88-5946-rq47.json b/advisories/unreviewed/2025/12/GHSA-wr88-5946-rq47/GHSA-wr88-5946-rq47.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wr88-5946-rq47",
+  "modified": "2025-12-02T12:30:28Z",
+  "published": "2025-12-02T12:30:28Z",
+  "aliases": [
+    "CVE-2025-13873"
+  ],
+  "details": "Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13873"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.objectplanet.com/opinio/changelog.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-02T10:16:02Z"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-96fr-rv8q-2885",`
`4`		`- "modified": "2025-12-01T15:30:18Z",`
	`4`	`+ "modified": "2025-12-02T12:30:27Z",`
`5`	`5`	`"published": "2025-12-01T15:30:18Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-13129"`