Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-2733-h98q-64p4/GHSA-2733-h98q-64p4.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2733-h98q-64p4",
+  "modified": "2025-12-30T21:30:33Z",
+  "published": "2025-12-30T21:30:32Z",
+  "aliases": [
+    "CVE-2025-15354"
+  ],
+  "details": "A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/add_admin.php. Executing manipulation of the argument Username can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15354"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/BUPT2025201/CVE/issues/2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338741"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338741"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.726282"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-30T20:16:00Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-35f9-r8q8-pqf5/GHSA-35f9-r8q8-pqf5.json

@@ -42,7 +42,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-266"
+      "CWE-266",
+      "CWE-863"
     ],
     "severity": "LOW",
     "github_reviewed": false,

advisories/unreviewed/2025/12/GHSA-36pw-gpfg-hfxr/GHSA-36pw-gpfg-hfxr.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-36pw-gpfg-hfxr",
-  "modified": "2025-12-12T00:30:21Z",
+  "modified": "2025-12-30T21:30:25Z",
   "published": "2025-12-12T00:30:21Z",
   "aliases": [
     "CVE-2024-58309"
   ],
   "details": "xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/12/GHSA-36vw-m4cf-f8jm/GHSA-36vw-m4cf-f8jm.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-36vw-m4cf-f8jm",
-  "modified": "2025-12-10T21:31:37Z",
+  "modified": "2025-12-30T21:30:25Z",
   "published": "2025-12-10T21:31:37Z",
   "aliases": [
     "CVE-2020-36901"
   ],
   "details": "UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that submits a form to the /query/user/itSet endpoint to add a new admin user with elevated privileges.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/12/GHSA-3h23-rfwm-gcx3/GHSA-3h23-rfwm-gcx3.json

@@ -58,7 +58,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-404"
+      "CWE-404",
+      "CWE-476"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/12/GHSA-44xp-hxfq-7fh9/GHSA-44xp-hxfq-7fh9.json

@@ -54,7 +54,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-119"
+      "CWE-119",
+      "CWE-787"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/12/GHSA-4g6x-74c2-rfr9/GHSA-4g6x-74c2-rfr9.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4g6x-74c2-rfr9",
+  "modified": "2025-12-30T21:30:32Z",
+  "published": "2025-12-30T21:30:32Z",
+  "aliases": [
+    "CVE-2025-15264"
+  ],
+  "details": "A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15264"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338663"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338663"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.718278"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-30T19:15:44Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-54r5-8767-w6vq/GHSA-54r5-8767-w6vq.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-54r5-8767-w6vq",
+  "modified": "2025-12-30T21:30:32Z",
+  "published": "2025-12-30T21:30:32Z",
+  "aliases": [
+    "CVE-2025-50343"
+  ],
+  "details": "An issue was discovered in matio 1.5.28. A heap-based memory corruption can occur in Mat_VarCreateStruct() when the nfields value does not match the actual number of strings in the fields array. This leads to out-of-bounds reads and invalid memory frees during cleanup, potentially causing a segmentation fault or heap corruption.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50343"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tbeu/matio/issues/275"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zakkanijia/POC/blob/main/matio/CVE-2025-50343/matio.md"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-30T20:16:00Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-5rqh-29cg-rcqm/GHSA-5rqh-29cg-rcqm.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5rqh-29cg-rcqm",
+  "modified": "2025-12-30T21:30:33Z",
+  "published": "2025-12-30T21:30:33Z",
+  "aliases": [
+    "CVE-2025-66723"
+  ],
+  "details": "inMusic Brands Engine DJ 4.3.0 suffers from Insecure Permissions due to exposed HTTP service in the Remote Library, which allows attackers to access all files and network paths.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66723"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/audiopump/cve-2025-66723"
+    },
+    {
+      "type": "WEB",
+      "url": "http://inmusic.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-30T21:15:44Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-5vw2-j3g7-v489/GHSA-5vw2-j3g7-v489.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5vw2-j3g7-v489",
+  "modified": "2025-12-30T21:30:32Z",
+  "published": "2025-12-30T21:30:32Z",
+  "aliases": [
+    "CVE-2025-66834"
+  ],
+  "details": "A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66834"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66834/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://trueconf.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-30T19:15:44Z"
+  }
+}