Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit e7969c6c94f5 · 2025-11-03T21:07:53.000Z
GHSA-p9p4-97g9-wcrh GHSA-xf7m-v66q-76w8 GHSA-xf7m-v66q-76w8
diff --git a/advisories/github-reviewed/2022/06/GHSA-p9p4-97g9-wcrh/GHSA-p9p4-97g9-wcrh.json b/advisories/github-reviewed/2022/06/GHSA-p9p4-97g9-wcrh/GHSA-p9p4-97g9-wcrh.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p9p4-97g9-wcrh",
-  "modified": "2022-06-03T22:19:23Z",
+  "modified": "2025-11-03T21:05:45Z",
   "published": "2022-06-03T22:19:23Z",
   "aliases": [
     "CVE-2022-31023"
   ],
   "summary": "Dev error stack trace leaking into prod in Play Framework",
-  "details": "### Impact\n\nPlay Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler.  Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application.\n\nIn particular the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value.\n\n### Patches\n\nThis is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior.\n\n### Workarounds\n\nWhen constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play's `BuiltInComponents`. Ensure that your application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.\n\n### References\nhttps://www.playframework.com/documentation/2.8.x/ScalaErrorHandling#Supplying-a-custom-error-handler\nhttps://www.playframework.com/documentation/2.8.x/JavaErrorHandling#Supplying-a-custom-error-handler\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [playframework/playframework](https://github.com/playframework/playframework/)\n* Email us at [example email address](mailto:example@example.com)\n",
+  "details": "### Impact\n\nPlay Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler.  Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application.\n\nIn particular the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value.\n\n### Patches\n\nThis is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior.\n\n### Workarounds\n\nWhen constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play's `BuiltInComponents`. Ensure that your application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.\n\n### References\nhttps://www.playframework.com/documentation/2.8.x/ScalaErrorHandling#Supplying-a-custom-error-handler\nhttps://www.playframework.com/documentation/2.8.x/JavaErrorHandling#Supplying-a-custom-error-handler\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [playframework/playframework](https://github.com/playframework/playframework/)\n* Email us at [security@playframework.com](mailto:security@playframework.com)",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2025/11/GHSA-xf7m-v66q-76w8/GHSA-xf7m-v66q-76w8.json b/advisories/github-reviewed/2025/11/GHSA-xf7m-v66q-76w8/GHSA-xf7m-v66q-76w8.json
@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xf7m-v66q-76w8",
+  "modified": "2025-11-03T21:06:57Z",
+  "published": "2025-11-01T03:30:24Z",
+  "aliases": [
+    "CVE-2025-62275"
+  ],
+  "summary": "Liferay Portal and DXP do not check permissions of images in a blog entry",
+  "details": "Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay:com.liferay.blogs.item.selector.web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.19"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62275"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/9856c55bcbb3b8ce1276117709b9c0082a19c62c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/e0ae29cfdb8d10a6fddc56d04ca3ae88c3fbc7f3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.atlassian.net/browse/LPE-17948"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62275"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-03T21:06:57Z",
+    "nvd_published_at": "2025-11-01T03:15:31Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-xf7m-v66q-76w8/GHSA-xf7m-v66q-76w8.json b/advisories/unreviewed/2025/11/GHSA-xf7m-v66q-76w8/GHSA-xf7m-v66q-76w8.json
