Publish Advisories

GHSA-927w-vq5c-8gc3
GHSA-9m7r-g8hg-x3vr

Author: advisory-database[bot]

…-927w-vq5c-8gc3/GHSA-927w-vq5c-8gc3.json …-927w-vq5c-8gc3/GHSA-927w-vq5c-8gc3.jsonadvisories/unreviewed/2025/11/GHSA-927w-vq5c-8gc3/GHSA-927w-vq5c-8gc3.json renamed to advisories/github-reviewed/2025/11/GHSA-927w-vq5c-8gc3/GHSA-927w-vq5c-8gc3.json advisories/unreviewed/2025/11/GHSA-927w-vq5c-8gc3/GHSA-927w-vq5c-8gc3.json renamed to advisories/github-reviewed/2025/11/GHSA-927w-vq5c-8gc3/GHSA-927w-vq5c-8gc3.json

@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-927w-vq5c-8gc3",
-  "modified": "2025-11-21T00:30:21Z",
+  "modified": "2025-11-21T18:06:38Z",
   "published": "2025-11-20T15:30:23Z",
   "aliases": [
     "CVE-2025-60797"
   ],
+  "summary": "phppgadmin contains a SQL injection vulnerability",
   "details": "phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "phppgadmin/phppgadmin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "7.13.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60797"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/phppgadmin/phppgadmin"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/phppgadmin/phppgadmin/blob/master/dataexport.php#L118"
@@ -33,8 +58,8 @@
       "CWE-89"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-21T18:06:38Z",
     "nvd_published_at": "2025-11-20T15:17:38Z"
   }
 }

advisories/github-reviewed/2025/11/GHSA-9m7r-g8hg-x3vr/GHSA-9m7r-g8hg-x3vr.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9m7r-g8hg-x3vr",
+  "modified": "2025-11-21T18:06:00Z",
+  "published": "2025-11-21T18:06:00Z",
+  "aliases": [
+    "CVE-2025-65111"
+  ],
+  "summary": "SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results",
+  "details": "### Impact\n\nIf a schema includes the following characteristics:\n\n1. Permission defined in terms of a union (`+`)\n1. That union references the same relation on both sides, but one side arrows to a different permission\n\nThen you might have missing `LookupResources` results when checking the permission. This only affects `LookupResources`; other APIs calculate permissionship correctly.\n\nA small concrete example:\n\n```\nrelation doer_of_things: user | group#member\npermission do_the_thing = doer_of_things + doer_of_things->admin\n```\n\nA CheckPermission on `do_the_thing` will return the correct permissionship, but a LookupResources on `do_the_thing` may miss resources.\n\n#### A Comprehensive Example\n\nIf you have a schema with a structure like this:\n\n```\ndefinition special_user {}\n\ndefinition user {\n  relation special_user_mapping: special_user\n  permission special_user = special_user_mapping\n}\ndefinition group {\n   relation member: user\n   permission membership = member + member->special_user\n}\n\ndefinition system {\n  relation viewer: user | group#membership\n  // This is the problematic permission\n  permission view = viewer + viewer->special_user\n}\n```\n\nAnd these relationships:\n```\nsystem:somesystem#viewer@group:somegroup#membership\ngroup:somegroup#member@user:someuser1\nuser:someuser1#special_user_mapping@special_user:specialuser\n```\n\nAnd you call LookupResources with:\n```\nsubject_type: user\nsubject_id: someuser1\npermission: view\nresource_type: system\n```\n\nYou would expect to receive `system:somesystem` in the results, but you do not.\n\nNote that this only applies to `LookupResources`; if you `CheckPermission` for that resource specifically, it will return `HasPermission`.\n\n### Patches\n\nThe issue is fixed in v1.47.1. Upgrading to this version will remediate this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/authzed/spicedb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.47.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/authzed/spicedb"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-277"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-21T18:06:00Z",
+    "nvd_published_at": null
+  }
+}