Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2025/12/GHSA-2m4f-cg75-76w2/GHSA-2m4f-cg75-76w2.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2m4f-cg75-76w2",
+  "modified": "2025-12-08T21:30:39Z",
+  "published": "2025-12-08T21:30:39Z",
+  "aliases": [
+    "CVE-2025-66470"
+  ],
+  "summary": "NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content",
+  "details": "### Summary\nA Cross-Site Scripting (XSS) vulnerability exists in the `ui.interactive_image` component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue's `v-html` directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG `<foreignObject>` tag.\n\n### Details\nThe vulnerability is located in `nicegui/elements/interactive_image.js`.\nThe component uses the following code to render content:\n```javascript\n<g v-html=\"content\"></g>\n```\nVue's v-html directive renders raw HTML strings into the DOM. If an application allows user-controlled input to be passed to the content property of an interactive image, an attacker can embed a <foreignObject> tag containing malicious scripts, bypassing typical image restrictions.\n\n### PoC\n```python\nfrom nicegui import ui\n\[email protected]('/')\ndef main():\n    ui.label('NiceGUI SVG XSS PoC')\n    \n    # Standard image loading\n    img = ui.interactive_image('[https://picsum.photos/640/360](https://picsum.photos/640/360)')\n    \n    # Payload: Embeds raw HTML execution inside SVG\n    # This executes immediately when the image component is rendered\n    img.content = (\n        '<foreignObject>'\n        '<body xmlns=\"[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)\">'\n        '<img src=x onerror=alert(\"XSS-SVG\")>'\n        '</body>'\n        '</foreignObject>'\n    )\n\nui.run()\n```\n\n### Impact\n- Type: Reflected / Stored XSS (depending on data source)\n\n- Severity: Moderate\n\n- Impact: Attackers can inject malicious scripts that execute whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "nicegui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.4.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.3.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/zauberzeug/nicegui"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-08T21:30:39Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2025/12/GHSA-72qc-wxch-74mg/GHSA-72qc-wxch-74mg.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-72qc-wxch-74mg",
+  "modified": "2025-12-08T21:30:20Z",
+  "published": "2025-12-08T21:30:20Z",
+  "aliases": [
+    "CVE-2025-66469"
+  ],
+  "summary": "NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection",
+  "details": "### Summary\nA Cross-Site Scripting (XSS) vulnerability exists in `ui.add_css`, `ui.add_scss`, and `ui.add_sass` functions in NiceGUI (v3.3.1 and earlier).\n\nThese functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended `<style>` or `<script>` tags by injecting closing tags (e.g., `</style>` or `</script>`), allowing for the execution of arbitrary JavaScript.\n\n### Details\nThe vulnerability stems from how these functions inject content into the DOM using `client.run_javascript` (or `add_head_html` internally) without sufficient escaping for the transport layer.\n\n* **`ui.add_css`**: Injects content into a `<style>` tag. Input containing `</style>` closes the tag prematurely, allowing subsequent HTML/JS injection.\n* **`ui.add_scss` / `ui.add_sass`**: These rely on client-side compilation within `<script>` tags. Input containing `</script>` breaks the execution context, allowing XSS.\n\n### PoC\n**Scenario:** A developer allows users to customize a theme color via a URL parameter.\n\n```python\nfrom nicegui import ui\n\[email protected]('/')\ndef main(color: str = 'blue'):\n    # Vulnerable implementation of dynamic theming\n    ui.add_css(f'.q-btn {{ background-color: {color} !important; }}')\n    ui.button('Click Me')\n\nui.run(port=8082)\n```\n**Attack Vector:**\nAccessing the following URL executes arbitrary JavaScript:\n`http://localhost:8082/?color=red;}</style><img src=x onerror=alert(document.domain)><style>`\n\n### Impact\n* **Type:** Reflected XSS\n* **Severity:** Moderate \n* **Affected Components:** Applications using `ui.add_css`, `ui.add_scss`, or `ui.add_sass` with untrusted input (e.g., dynamic theming based on user input).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "nicegui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.4.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.3.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/zauberzeug/nicegui"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-08T21:30:20Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2025/12/GHSA-9v8j-x534-2fx3/GHSA-9v8j-x534-2fx3.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9v8j-x534-2fx3",
+  "modified": "2025-12-08T21:30:56Z",
+  "published": "2025-12-08T21:30:56Z",
+  "aliases": [
+    "CVE-2025-66567"
+  ],
+  "summary": "Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)",
+  "details": "### Summary\n\nRuby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0.\n\n### Impact\nThat allows an attacker to be able to execute a Signature Wrapping attack and bypass the authentication",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "ruby-saml"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.18.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/SAML-Toolkits/ruby-saml"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-754f-8gm6-c4r2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-347"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-08T21:30:56Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2025/12/GHSA-wpqc-h9wp-chmq/GHSA-wpqc-h9wp-chmq.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wpqc-h9wp-chmq",
+  "modified": "2025-12-08T21:30:07Z",
+  "published": "2025-12-08T21:30:07Z",
+  "aliases": [
+    "CVE-2025-65964"
+  ],
+  "summary": "n8n vulnerable to Remote Code Execution via Git Node Custom Pre-Commit Hook",
+  "details": "### Impact\n\nThe n8n Git node allows workflows to set arbitrary Git configuration values through the _Add Config_ operation. When an attacker-controlled workflow sets `core.hooksPath` to a directory within the cloned repository containing a Git hook such as `pre-commit`, Git executes that hook during subsequent Git operations. Because Git hooks run as local system commands, this behavior can lead to **arbitrary command execution** on the underlying n8n host.\n\nSuccessful exploitation requires the ability to create or modify an n8n workflow that uses the Git node.\n\nAffected versions: **≥ 0.123.1 and < 1.119.2**\n\n### Patches\n\nThis issue has been patched in **n8n version 1.119.2**.\n\nAll users running affected versions should upgrade to **1.119.2 or later**.\n\n### Workarounds\n\nIf upgrading is not immediately possible, the following mitigations can reduce exposure:\n\n- Exclude the Git node ([Docs](https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes)).\n- Avoid cloning or interacting with untrusted repositories using the Git Node.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "n8n"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.123.1"
+            },
+            {
+              "fixed": "1.119.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/n8n-io/n8n"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-829"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-08T21:30:07Z",
+    "nvd_published_at": null
+  }
+}

advisories/unreviewed/2022/08/GHSA-45v7-mh84-5f9p/GHSA-45v7-mh84-5f9p.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-45v7-mh84-5f9p",
-  "modified": "2025-01-06T15:30:58Z",
+  "modified": "2025-12-08T21:30:17Z",
   "published": "2022-08-29T00:00:33Z",
   "aliases": [
     "CVE-2022-37055"
@@ -27,9 +27,17 @@
       "type": "WEB",
       "url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10308"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-37055"
+    },
     {
       "type": "WEB",
       "url": "https://www.dlink.com/en/security-bulletin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.fortiguard.com/outbreak-alert/d-link-multiple-devices-attack"
     }
   ],
   "database_specific": {

advisories/unreviewed/2024/11/GHSA-5x56-3552-fggh/GHSA-5x56-3552-fggh.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5x56-3552-fggh",
-  "modified": "2024-11-22T21:32:15Z",
+  "modified": "2025-12-08T21:30:17Z",
   "published": "2024-11-22T21:32:15Z",
   "aliases": [
     "CVE-2024-38647"
   ],
   "details": "An exposure of sensitive information vulnerability has been reported to affect QNAP AI Core. If exploited, the vulnerability could allow remote attackers to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following version:\nQNAP AI Core 3.4.1 and later",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2024/11/GHSA-7r8m-5c4m-7j6c/GHSA-7r8m-5c4m-7j6c.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7r8m-5c4m-7j6c",
-  "modified": "2024-11-22T21:32:15Z",
+  "modified": "2025-12-08T21:30:17Z",
   "published": "2024-11-22T21:32:15Z",
   "aliases": [
     "CVE-2024-50395"
   ],
   "details": "An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege.\n\nWe have already fixed the vulnerability in the following version:\nMedia Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2024/11/GHSA-9xq2-9jc3-2mjw/GHSA-9xq2-9jc3-2mjw.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9xq2-9jc3-2mjw",
-  "modified": "2024-11-22T21:32:15Z",
+  "modified": "2025-12-08T21:30:17Z",
   "published": "2024-11-22T21:32:15Z",
   "aliases": [
     "CVE-2024-48862"
   ],
   "details": "A link following vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files.\n\nWe have already fixed the vulnerability in the following versions:\nQuLog Center 1.7.0.831 ( 2024/10/15 ) and later\nQuLog Center 1.8.0.888 ( 2024/10/15 ) and later",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/01/GHSA-6x53-588x-53g2/GHSA-6x53-588x-53g2.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6x53-588x-53g2",
-  "modified": "2025-11-03T21:32:04Z",
+  "modified": "2025-12-08T21:30:18Z",
   "published": "2025-01-07T12:31:02Z",
   "aliases": [
     "CVE-2024-12425"
   ],
   "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The Document Foundation LibreOffice allows Absolute Path Traversal.\n\n\n\n\nAn attacker can write to arbitrary locations, albeit suffixed with \".ttf\", by supplying a file in a format that supports embedded font files.\n\n\nThis issue affects LibreOffice: from 24.8 before < 24.8.4.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/01/GHSA-x7m8-vrfv-272v/GHSA-x7m8-vrfv-272v.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x7m8-vrfv-272v",
-  "modified": "2025-11-03T21:32:04Z",
+  "modified": "2025-12-08T21:30:18Z",
   "published": "2025-01-07T15:31:46Z",
   "aliases": [
     "CVE-2024-12426"
   ],
   "details": "Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\n\n\n\n\nURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\n\n\nThis issue affects LibreOffice: from 24.8 before < 24.8.4.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"