Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit e70a68fd6f7b · 2025-11-27T08:01:17.000Z
GHSA-x7m3-jprg-wc5g GHSA-m85w-3h95-hcf9 GHSA-7ff4-jw48-3436
diff --git a/advisories/github-reviewed/2023/09/GHSA-x7m3-jprg-wc5g/GHSA-x7m3-jprg-wc5g.json b/advisories/github-reviewed/2023/09/GHSA-x7m3-jprg-wc5g/GHSA-x7m3-jprg-wc5g.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x7m3-jprg-wc5g",
-  "modified": "2023-10-17T13:28:51Z",
+  "modified": "2025-11-27T07:59:22Z",
   "published": "2023-09-25T12:30:44Z",
   "aliases": [
     "CVE-2023-41419"
@@ -56,6 +56,10 @@
       "type": "WEB",
       "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gevent/PYSEC-2023-177.yaml"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00020.html"
+    },
     {
       "type": "WEB",
       "url": "http://www.gevent.org/changelog.html"
diff --git a/advisories/github-reviewed/2024/10/GHSA-m85w-3h95-hcf9/GHSA-m85w-3h95-hcf9.json b/advisories/github-reviewed/2024/10/GHSA-m85w-3h95-hcf9/GHSA-m85w-3h95-hcf9.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m85w-3h95-hcf9",
-  "modified": "2024-10-14T22:24:03Z",
+  "modified": "2025-11-27T08:00:43Z",
   "published": "2024-10-14T20:02:21Z",
   "aliases": [
     "CVE-2024-47885"
   ],
   "summary": "DOM Clobbering Gadget found in astro's client-side router that leads to XSS",
-  "details": "### Summary\n\nA DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages.\n\n### Details\n\n#### Backgrounds\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n\n#### Gadgets found in Astro\n\nWe identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the `<ViewTransitions />` component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an `<a>` link):\n\nhttps://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.scripts` lookup can be shadowed by an attacker injected non-script HTML elements (e.g., `<img name=\"scripts\"><img name=\"scripts\">`) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements. \n\nThe condition `script.dataset.astroExec === ''` on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a `type` attribute.\n\nFinally, the `innerHTML` of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the `.innerHTML` of an script element that leads to XSS.\n\n\n### PoC\n\nConsider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., `form` or `iframe`). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\nFor PoC website, please refer to: `https://stackblitz.com/edit/github-4xgj2d`. Clicking the \"about\" button in the menu will trigger an `alert(1)` from an attacker-injected `form` element.\n\n```\n---\nimport Header from \"../components/Header.astro\";\nimport Footer from \"../components/Footer.astro\";\nimport { ViewTransitions } from \"astro:transitions\";\nimport \"../styles/global.css\";\nconst { pageTitle } = Astro.props;\n---\n<html lang=\"en\">\n  <head>\n    <meta charset=\"utf-8\" />\n    <link rel=\"icon\" type=\"image/svg+xml\" href=\"/favicon.svg\" />\n    <meta name=\"viewport\" content=\"width=device-width\" />\n    <meta name=\"generator\" content={Astro.generator} />\n    <title>{pageTitle}</title>\n    <ViewTransitions />\n  </head>\n  <body>\n    <!--USER INPUT-->\n    <iframe name=\"scripts\">alert(1)</iframe>\n    <iframe name=\"scripts\">alert(1)</iframe>\n    <!--USER INPUT-->\n    \n    <Header />\n    <h1>{pageTitle}</h1>\n    <slot />\n    <Footer />\n    <script>\n      import \"../scripts/menu.js\";\n    </script>\n  </body>\n</html>\n```\n\n### Impact\n\nThis vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page.\n\n### Patch\n\nWe recommend replacing `document.scripts` with `document.getElementsByTagName('script')` for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the `name` attribute.\n\n### Reference\n\nSimilar issues for reference:\n+ Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986))\n+ Vite ([CVE-2024-45812](https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3))\n+ layui ([CVE-2024-47075](https://github.com/layui/layui/security/advisories/GHSA-j827-6rgf-9629))\n",
+  "details": "### Summary\n\nA DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages.\n\n### Details\n\n#### Backgrounds\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n\n#### Gadgets found in Astro\n\nWe identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the `<ViewTransitions />` component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an `<a>` link):\n\nhttps://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.scripts` lookup can be shadowed by an attacker injected non-script HTML elements (e.g., `<img name=\"scripts\"><img name=\"scripts\">`) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements. \n\nThe condition `script.dataset.astroExec === ''` on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a `type` attribute.\n\nFinally, the `innerHTML` of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the `.innerHTML` of an script element that leads to XSS.\n\n\n### PoC\n\nConsider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., `form` or `iframe`). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\nFor PoC website, please refer to: `https://stackblitz.com/edit/github-4xgj2d`. Clicking the \"about\" button in the menu will trigger an `alert(1)` from an attacker-injected `form` element.\n\n```\n---\nimport Header from \"../components/Header.astro\";\nimport Footer from \"../components/Footer.astro\";\nimport { ViewTransitions } from \"astro:transitions\";\nimport \"../styles/global.css\";\nconst { pageTitle } = Astro.props;\n---\n<html lang=\"en\">\n  <head>\n    <meta charset=\"utf-8\" />\n    <link rel=\"icon\" type=\"image/svg+xml\" href=\"/favicon.svg\" />\n    <meta name=\"viewport\" content=\"width=device-width\" />\n    <meta name=\"generator\" content={Astro.generator} />\n    <title>{pageTitle}</title>\n    <ViewTransitions />\n  </head>\n  <body>\n    <!--USER INPUT-->\n    <iframe name=\"scripts\">alert(1)</iframe>\n    <iframe name=\"scripts\">alert(1)</iframe>\n    <!--USER INPUT-->\n    \n    <Header />\n    <h1>{pageTitle}</h1>\n    <slot />\n    <Footer />\n    <script>\n      import \"../scripts/menu.js\";\n    </script>\n  </body>\n</html>\n```\n\n### Impact\n\nThis vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page.\n\n### Patch\n\nWe recommend replacing `document.scripts` with `document.getElementsByTagName('script')` for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the `name` attribute.\n\n### Reference\n\nSimilar issues for reference:\n+ Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986))\n+ Vite ([CVE-2024-45812](https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3))\n+ layui ([CVE-2024-47075](https://github.com/layui/layui/security/advisories/GHSA-j827-6rgf-9629))",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -32,10 +32,7 @@
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 4.16.0"
-      }
+      ]
     }
   ],
   "references": [
diff --git a/advisories/github-reviewed/2025/11/GHSA-7ff4-jw48-3436/GHSA-7ff4-jw48-3436.json b/advisories/github-reviewed/2025/11/GHSA-7ff4-jw48-3436/GHSA-7ff4-jw48-3436.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7ff4-jw48-3436",
-  "modified": "2025-11-24T21:51:18Z",
+  "modified": "2025-11-27T07:58:33Z",
   "published": "2025-11-24T21:51:18Z",
   "aliases": [
     "CVE-2025-64761"
@@ -40,6 +40,18 @@
       "type": "WEB",
       "url": "https://github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-3436"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64761"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openbao/openbao/pull/2143"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openbao/openbao/commit/16bb0ccd37a502930a289d434cbe4e7b4edd66e5"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openbao/openbao/commit/747a1378c2756f86296ad9450f74f6faeecc2eb7"
@@ -55,11 +67,12 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-266",
       "CWE-269"
     ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2025-11-24T21:51:18Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-11-25T01:15:46Z"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-m85w-3h95-hcf9",`
`4`		`- "modified": "2024-10-14T22:24:03Z",`
	`4`	`+ "modified": "2025-11-27T08:00:43Z",`
`5`	`5`	`"published": "2024-10-14T20:02:21Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2024-47885"`
`8`	`8`	`],`
`9`	`9`	`"summary": "DOM Clobbering Gadget found in astro's client-side router that leads to XSS",`
`10`		- "details": "### Summary\n\nA DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages.\n\n### Details\n\n#### Backgrounds\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n\n#### Gadgets found in Astro\n\nWe identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the `<ViewTransitions />` component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an `<a>` link):\n\nhttps://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.scripts` lookup can be shadowed by an attacker injected non-script HTML elements (e.g., `<img name=\"scripts\"><img name=\"scripts\">`) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements. \n\nThe condition `script.dataset.astroExec === ''` on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a `type` attribute.\n\nFinally, the `innerHTML` of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the `.innerHTML` of an script element that leads to XSS.\n\n\n### PoC\n\nConsider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., `form` or `iframe`). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\nFor PoC website, please refer to: `https://stackblitz.com/edit/github-4xgj2d`. Clicking the \"about\" button in the menu will trigger an `alert(1)` from an attacker-injected `form` element.\n\n```\n---\nimport Header from \"../components/Header.astro\";\nimport Footer from \"../components/Footer.astro\";\nimport { ViewTransitions } from \"astro:transitions\";\nimport \"../styles/global.css\";\nconst { pageTitle } = Astro.props;\n---\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <link rel=\"icon\" type=\"image/svg+xml\" href=\"/favicon.svg\" />\n <meta name=\"viewport\" content=\"width=device-width\" />\n <meta name=\"generator\" content={Astro.generator} />\n <title>{pageTitle}</title>\n <ViewTransitions />\n </head>\n <body>\n <!--USER INPUT-->\n <iframe name=\"scripts\">alert(1)</iframe>\n <iframe name=\"scripts\">alert(1)</iframe>\n <!--USER INPUT-->\n \n <Header />\n <h1>{pageTitle}</h1>\n <slot />\n <Footer />\n <script>\n import \"../scripts/menu.js\";\n </script>\n </body>\n</html>\n```\n\n### Impact\n\nThis vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page.\n\n### Patch\n\nWe recommend replacing `document.scripts` with `document.getElementsByTagName('script')` for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the `name` attribute.\n\n### Reference\n\nSimilar issues for reference:\n+ Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986))\n+ Vite ([CVE-2024-45812](https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3))\n+ layui ([CVE-2024-47075](https://github.com/layui/layui/security/advisories/GHSA-j827-6rgf-9629))\n",
	`10`	+ "details": "### Summary\n\nA DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages.\n\n### Details\n\n#### Backgrounds\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n\n#### Gadgets found in Astro\n\nWe identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the `<ViewTransitions />` component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an `<a>` link):\n\nhttps://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.scripts` lookup can be shadowed by an attacker injected non-script HTML elements (e.g., `<img name=\"scripts\"><img name=\"scripts\">`) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements. \n\nThe condition `script.dataset.astroExec === ''` on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a `type` attribute.\n\nFinally, the `innerHTML` of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the `.innerHTML` of an script element that leads to XSS.\n\n\n### PoC\n\nConsider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., `form` or `iframe`). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\nFor PoC website, please refer to: `https://stackblitz.com/edit/github-4xgj2d`. Clicking the \"about\" button in the menu will trigger an `alert(1)` from an attacker-injected `form` element.\n\n```\n---\nimport Header from \"../components/Header.astro\";\nimport Footer from \"../components/Footer.astro\";\nimport { ViewTransitions } from \"astro:transitions\";\nimport \"../styles/global.css\";\nconst { pageTitle } = Astro.props;\n---\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <link rel=\"icon\" type=\"image/svg+xml\" href=\"/favicon.svg\" />\n <meta name=\"viewport\" content=\"width=device-width\" />\n <meta name=\"generator\" content={Astro.generator} />\n <title>{pageTitle}</title>\n <ViewTransitions />\n </head>\n <body>\n <!--USER INPUT-->\n <iframe name=\"scripts\">alert(1)</iframe>\n <iframe name=\"scripts\">alert(1)</iframe>\n <!--USER INPUT-->\n \n <Header />\n <h1>{pageTitle}</h1>\n <slot />\n <Footer />\n <script>\n import \"../scripts/menu.js\";\n </script>\n </body>\n</html>\n```\n\n### Impact\n\nThis vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page.\n\n### Patch\n\nWe recommend replacing `document.scripts` with `document.getElementsByTagName('script')` for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the `name` attribute.\n\n### Reference\n\nSimilar issues for reference:\n+ Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986))\n+ Vite ([CVE-2024-45812](https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3))\n+ layui ([CVE-2024-47075](https://github.com/layui/layui/security/advisories/GHSA-j827-6rgf-9629))",
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`	`13`	`"type": "CVSS_V3",`
`@@ -32,10 +32,7 @@`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`
`35`		`- ],`
`36`		`- "database_specific": {`
`37`		`- "last_known_affected_version_range": "<= 4.16.0"`
`38`		`- }`
	`35`	`+ ]`
`39`	`36`	`}`
`40`	`37`	`],`
`41`	`38`	`"references": [`