Publish Advisories

GHSA-28jp-44vh-q42h
GHSA-24hm-wm2h-h8w7
GHSA-3x39-62h4-f8j6
GHSA-4g87-9x45-cx2h
GHSA-5p82-2q3r-wj3m
GHSA-mp6x-97xj-9x62
GHSA-3x39-62h4-f8j6
GHSA-4g87-9x45-cx2h
GHSA-mp6x-97xj-9x62

Author: advisory-database[bot]

advisories/github-reviewed/2025/10/GHSA-28jp-44vh-q42h/GHSA-28jp-44vh-q42h.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-28jp-44vh-q42h",
-  "modified": "2025-10-31T17:39:47Z",
+  "modified": "2025-12-01T23:58:20Z",
   "published": "2025-10-30T18:31:10Z",
   "aliases": [
     "CVE-2025-12060"
@@ -55,6 +55,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/keras-team/keras"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4"
     }
   ],
   "database_specific": {

…-24hm-wm2h-h8w7/GHSA-24hm-wm2h-h8w7.json …-24hm-wm2h-h8w7/GHSA-24hm-wm2h-h8w7.jsonadvisories/unreviewed/2025/11/GHSA-24hm-wm2h-h8w7/GHSA-24hm-wm2h-h8w7.json renamed to advisories/github-reviewed/2025/11/GHSA-24hm-wm2h-h8w7/GHSA-24hm-wm2h-h8w7.json advisories/unreviewed/2025/11/GHSA-24hm-wm2h-h8w7/GHSA-24hm-wm2h-h8w7.json renamed to advisories/github-reviewed/2025/11/GHSA-24hm-wm2h-h8w7/GHSA-24hm-wm2h-h8w7.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-24hm-wm2h-h8w7",
-  "modified": "2025-11-28T06:32:06Z",
+  "modified": "2025-12-01T23:57:53Z",
   "published": "2025-11-28T06:32:06Z",
   "aliases": [
     "CVE-2025-66371"
   ],
+  "summary": "Peppol-py is vulnerable to XXE attacks due to Saxon configuration",
   "details": "Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "peppol_py"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/iterasdev/peppol-py/pull/16"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/iterasdev/peppol-py/commit/349a4bff8adb6205ea411bac8d7a06da0477abd7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/iterasdev/peppol-py"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/iterasdev/peppol-py/releases/tag/1.1.1"
@@ -33,8 +62,8 @@
       "CWE-611"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-01T23:57:53Z",
     "nvd_published_at": "2025-11-28T04:16:01Z"
   }
 }

advisories/github-reviewed/2025/11/GHSA-3x39-62h4-f8j6/GHSA-3x39-62h4-f8j6.json

@@ -0,0 +1,162 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3x39-62h4-f8j6",
+  "modified": "2025-12-01T23:56:56Z",
+  "published": "2025-11-27T18:30:25Z",
+  "aliases": [
+    "CVE-2025-12419"
+  ],
+  "summary": "Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication",
+  "details": "Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost/server/v8"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.0.0-20251028000919-d3ed703dc833"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.12.0"
+            },
+            {
+              "fixed": "10.12.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.11.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.5.0"
+            },
+            {
+              "fixed": "10.5.13"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.0.0"
+            },
+            {
+              "fixed": "11.0.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12419"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/pull/34296"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/15364790cc277cfaa372693d2d5442b87f70fd42"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/364c2203de00fe0d8424b6b46d6f0eeb02a2539a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/46b5c436bb3093cc1da3fa2455f93d4c52389eee"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/c3f4818afe46a7084740e809708ae22641c76d8d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/d3ed703dc8330684952eb8d49a375bac6ea7b0c6"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mattermost/mattermost"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287",
+      "CWE-303"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-01T23:56:55Z",
+    "nvd_published_at": "2025-11-27T16:15:46Z"
+  }
+}