Publish Advisories

GHSA-2h5q-w7wv-63r9
GHSA-fc36-5gc3-jmhx
GHSA-g9vf-m9qr-pwpw
GHSA-h39j-jmch-w2w5
GHSA-h42r-cm34-m49j
GHSA-r6gm-832c-gjj8
GHSA-wq4c-57mh-5f7g

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-2h5q-w7wv-63r9/GHSA-2h5q-w7wv-63r9.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2h5q-w7wv-63r9",
+  "modified": "2025-11-19T12:30:21Z",
+  "published": "2025-11-19T12:30:21Z",
+  "aliases": [
+    "CVE-2025-12472"
+  ],
+  "details": "An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance.\n\n\n\nLooker-hosted and Self-hosted were found to be vulnerable.\nThis issue has already been mitigated for Looker-hosted instances. No user action is required for these.\n\n\nSelf-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.\nThe versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page  https://download.looker.com/ :\n  *  24.12.103+\n  *  24.18.195+\n  *  25.0.72+\n  *  25.6.60+\n  *  25.8.42+\n  *  25.10.22+",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12472"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cloud.google.com/support/bulletins#gcp-2025-052"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-19T11:15:44Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-fc36-5gc3-jmhx/GHSA-fc36-5gc3-jmhx.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fc36-5gc3-jmhx",
+  "modified": "2025-11-19T12:30:20Z",
+  "published": "2025-11-19T12:30:20Z",
+  "aliases": [
+    "CVE-2025-11230"
+  ],
+  "details": "Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11230"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-407"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-19T10:15:45Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-g9vf-m9qr-pwpw/GHSA-g9vf-m9qr-pwpw.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g9vf-m9qr-pwpw",
+  "modified": "2025-11-19T12:30:20Z",
+  "published": "2025-11-19T12:30:20Z",
+  "aliases": [
+    "CVE-2025-58412"
+  ],
+  "details": "A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or commands via crafted URL.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58412"
+    },
+    {
+      "type": "WEB",
+      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-736"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-80"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-19T10:15:45Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-h39j-jmch-w2w5/GHSA-h39j-jmch-w2w5.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h39j-jmch-w2w5",
+  "modified": "2025-11-19T12:30:21Z",
+  "published": "2025-11-19T12:30:21Z",
+  "aliases": [
+    "CVE-2025-10437"
+  ],
+  "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. Webpack Management System allows SQL Injection.This issue affects Webpack Management System: through 20251119.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10437"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.usom.gov.tr/bildirim/tr-25-0401"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-19T12:15:47Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-h42r-cm34-m49j/GHSA-h42r-cm34-m49j.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h42r-cm34-m49j",
+  "modified": "2025-11-19T12:30:20Z",
+  "published": "2025-11-19T12:30:20Z",
+  "aliases": [
+    "CVE-2025-0351"
+  ],
+  "details": "Rejected reason: Voluntarily withdrawn",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0351"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-19T10:15:44Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-r6gm-832c-gjj8/GHSA-r6gm-832c-gjj8.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r6gm-832c-gjj8",
+  "modified": "2025-11-19T12:30:21Z",
+  "published": "2025-11-19T12:30:21Z",
+  "aliases": [
+    "CVE-2025-13395"
+  ],
+  "details": "A security flaw has been discovered in codehub666 94list up to 5831c8240e99a72b7d3508c79ef46ae4b96befe8. The impacted element is the function Login of the file /function.php. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13395"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/codehub666/94list/issues/63"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/codehub666/94list/issues/63#issue-3607918945"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.332923"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.332923"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.692095"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-19T11:15:47Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-wq4c-57mh-5f7g/GHSA-wq4c-57mh-5f7g.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wq4c-57mh-5f7g",
+  "modified": "2025-11-19T12:30:21Z",
+  "published": "2025-11-19T12:30:21Z",
+  "aliases": [
+    "CVE-2025-64408"
+  ],
+  "details": "Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges. \n\nThis issue affects all current versions.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64408"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2025/11/19/1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-19T11:15:47Z"
+  }
+}