Publish Advisories

GHSA-3v3q-fq2w-23r5
GHSA-4wvq-85hg-6256
GHSA-6pxh-4m7f-85qj
GHSA-fg22-jf8j-5mrr
GHSA-g668-5fqc-6qj6
GHSA-hvh2-99r5-r38q
GHSA-jr9h-pqhx-vmgq
GHSA-mhfg-pwjv-5jjq
GHSA-r7j2-9m2h-fq95
GHSA-v554-gp5g-23rq
GHSA-vrjm-xv6p-hpjc
GHSA-x6fh-7qmf-69xh

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-3v3q-fq2w-23r5/GHSA-3v3q-fq2w-23r5.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3v3q-fq2w-23r5",
+  "modified": "2025-10-23T06:31:00Z",
+  "published": "2025-10-23T06:30:59Z",
+  "aliases": [
+    "CVE-2025-47699"
+  ],
+  "details": "Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices. \n\nThis issue affects Command Centre Server:\n\n9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47699"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-47699"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-497"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-23T04:16:40Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-4wvq-85hg-6256/GHSA-4wvq-85hg-6256.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4wvq-85hg-6256",
+  "modified": "2025-10-23T06:31:00Z",
+  "published": "2025-10-23T06:31:00Z",
+  "aliases": [
+    "CVE-2025-54856"
+  ],
+  "details": "Movable Type contains a stored cross-site scripting vulnerability in Edit ContentData page. If crafted input is stored by an attacker with \"ContentType Management\" privilege, an arbitrary script may be executed on the web browser of the user who accesses Edit ContentData page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54856"
+    },
+    {
+      "type": "WEB",
+      "url": "https://jvn.jp/en/jp/JVN24333679"
+    },
+    {
+      "type": "WEB",
+      "url": "https://movabletype.org/news/2025/10/mt-880-released.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sixapart.jp/movabletype/news/2025/10/22-1055.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-23T05:15:32Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-6pxh-4m7f-85qj/GHSA-6pxh-4m7f-85qj.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6pxh-4m7f-85qj",
+  "modified": "2025-10-23T06:31:00Z",
+  "published": "2025-10-23T06:30:59Z",
+  "aliases": [
+    "CVE-2025-48428"
+  ],
+  "details": "Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while in use allowing them to deploy a compromised or counterfeit device on that site. \nThis issue affects Command Centre Server: 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48428"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-48428"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-312"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-23T04:16:40Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-fg22-jf8j-5mrr/GHSA-fg22-jf8j-5mrr.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fg22-jf8j-5mrr",
+  "modified": "2025-10-23T06:30:59Z",
+  "published": "2025-10-23T06:30:59Z",
+  "aliases": [
+    "CVE-2025-12104"
+  ],
+  "details": "Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12104"
+    },
+    {
+      "type": "WEB",
+      "url": "https://azure-access.com/security-advisories"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1104"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-23T04:15:52Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-g668-5fqc-6qj6/GHSA-g668-5fqc-6qj6.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g668-5fqc-6qj6",
+  "modified": "2025-10-23T06:31:00Z",
+  "published": "2025-10-23T06:31:00Z",
+  "aliases": [
+    "CVE-2025-61865"
+  ],
+  "details": "NarSuS App registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61865"
+    },
+    {
+      "type": "WEB",
+      "url": "https://jvn.jp/en/jp/JVN03295012"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.iodata.jp/support/information/2025/10_NarSuS_App"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-428"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-23T05:15:32Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-hvh2-99r5-r38q/GHSA-hvh2-99r5-r38q.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hvh2-99r5-r38q",
+  "modified": "2025-10-23T06:30:59Z",
+  "published": "2025-10-23T06:30:59Z",
+  "aliases": [
+    "CVE-2025-41402"
+  ],
+  "details": "Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a privileged operator to enter invalid competency data, bypassing expiry checks. \n\nThis issue affects Command Centre Server: \n\n 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), all versions of 9.00 and prior.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41402"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-41402"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-602"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-23T04:16:40Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-jr9h-pqhx-vmgq/GHSA-jr9h-pqhx-vmgq.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jr9h-pqhx-vmgq",
+  "modified": "2025-10-23T06:30:59Z",
+  "published": "2025-10-23T06:30:59Z",
+  "aliases": [
+    "CVE-2025-35981"
+  ],
+  "details": "Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) in the Command Centre Server allows a privileged Operator to view limited personal data about a Cardholder they would not normally have permissions to view. \n\nThis issue affects Command Centre Server: 9.30.1874 (MR1), 9.20.2337 (MR3), 9.10.3194 (MR6).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35981"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-35981"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-359"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-23T04:16:39Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-mhfg-pwjv-5jjq/GHSA-mhfg-pwjv-5jjq.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mhfg-pwjv-5jjq",
+  "modified": "2025-10-23T06:31:00Z",
+  "published": "2025-10-23T06:31:00Z",
+  "aliases": [
+    "CVE-2025-54806"
+  ],
+  "details": "GROWI v4.2.7 and earlier contains a cross-site scripting vulnerability  in the page alert function. If a user accesses a crafted URL while logged in to the affected product, an arbitrary script may be executed on the user's web browser.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54806"
+    },
+    {
+      "type": "WEB",
+      "url": "https://growi.co.jp/news/38"
+    },
+    {
+      "type": "WEB",
+      "url": "https://jvn.jp/en/jp/JVN46526244"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-23T05:15:32Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-r7j2-9m2h-fq95/GHSA-r7j2-9m2h-fq95.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r7j2-9m2h-fq95",
+  "modified": "2025-10-23T06:31:00Z",
+  "published": "2025-10-23T06:31:00Z",
+  "aliases": [
+    "CVE-2025-62813"
+  ],
+  "details": "LZ4 through 1.10.0 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact when the application processes untrusted LZ4 frames. For example, LZ4F_createCDict_advanced in lib/lz4frame.c mishandles NULL checks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62813"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lz4/lz4/pull/1593"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-158"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-23T04:17:26Z"
+  }
+}