Publish Advisories

GHSA-2cg7-8m86-p9r3
GHSA-33g9-x8rg-2pmj
GHSA-3ghv-qqmp-p6c4
GHSA-4pr9-79mg-ghjx
GHSA-5ww9-v6r8-v66v
GHSA-7859-g5cr-ff44
GHSA-7x49-43rq-5f5c
GHSA-g7h3-4rff-4p2h
GHSA-hpr3-4vvq-fj8x
GHSA-hr8g-j9j3-47h8
GHSA-j96f-82pq-xhgw
GHSA-mvpq-6rgj-x5xq
GHSA-q4vr-qfhc-8wp3
GHSA-rfx4-qxj5-wp67

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-2cg7-8m86-p9r3/GHSA-2cg7-8m86-p9r3.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2cg7-8m86-p9r3",
+  "modified": "2025-11-11T09:30:30Z",
+  "published": "2025-11-11T09:30:30Z",
+  "aliases": [
+    "CVE-2025-6571"
+  ],
+  "details": "A 3rd-party component exposed its password in process arguments, allowing for low-privileged users to access it.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6571"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.axis.com/dam/public/1f/f8/f0/cve-2025-6571pdf-en-US-504216.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-522"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T07:15:35Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-33g9-x8rg-2pmj/GHSA-33g9-x8rg-2pmj.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-33g9-x8rg-2pmj",
+  "modified": "2025-11-11T09:30:30Z",
+  "published": "2025-11-11T09:30:30Z",
+  "aliases": [
+    "CVE-2025-6779"
+  ],
+  "details": "An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6779"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.axis.com/dam/public/92/9a/13/cve-2025-6779pdf-en-US-504217.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-732"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T07:15:35Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-3ghv-qqmp-p6c4/GHSA-3ghv-qqmp-p6c4.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3ghv-qqmp-p6c4",
+  "modified": "2025-11-11T09:30:31Z",
+  "published": "2025-11-11T09:30:31Z",
+  "aliases": [
+    "CVE-2025-9524"
+  ],
+  "details": "The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability. This vulnerability can only be exploited after authenticating with a viewer- operator- or administrator-privileged service account.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9524"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.axis.com/dam/public/f1/f0/1e/cve-2025-9524pdf-en-US-504220.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T08:15:35Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-4pr9-79mg-ghjx/GHSA-4pr9-79mg-ghjx.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4pr9-79mg-ghjx",
+  "modified": "2025-11-11T09:30:30Z",
+  "published": "2025-11-11T09:30:30Z",
+  "aliases": [
+    "CVE-2025-6298"
+  ],
+  "details": "ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6298"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.axis.com/dam/public/ef/91/c3/cve-2025-6298pdf-en-US-504215.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T07:15:35Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-5ww9-v6r8-v66v/GHSA-5ww9-v6r8-v66v.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5ww9-v6r8-v66v",
+  "modified": "2025-11-11T09:30:30Z",
+  "published": "2025-11-11T09:30:30Z",
+  "aliases": [
+    "CVE-2025-5452"
+  ],
+  "details": "A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to potential privilege escalation of the malicious ACAP application. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5452"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.axis.com/dam/public/39/ba/8b/cve-2025-5452pdf-en-US-504212.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-214"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T07:15:34Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-7859-g5cr-ff44/GHSA-7859-g5cr-ff44.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7859-g5cr-ff44",
+  "modified": "2025-11-11T09:30:30Z",
+  "published": "2025-11-11T09:30:30Z",
+  "aliases": [
+    "CVE-2025-5454"
+  ],
+  "details": "An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5454"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.axis.com/dam/public/48/ab/82/cve-2025-5454pdf-en-US-504213.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-35"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T07:15:34Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-7x49-43rq-5f5c/GHSA-7x49-43rq-5f5c.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7x49-43rq-5f5c",
+  "modified": "2025-11-11T09:30:30Z",
+  "published": "2025-11-11T09:30:30Z",
+  "aliases": [
+    "CVE-2025-4645"
+  ],
+  "details": "An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4645"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.axis.com/dam/public/69/47/ff/cve-2025-4645pdf-en-US-504211.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T07:15:33Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-g7h3-4rff-4p2h/GHSA-g7h3-4rff-4p2h.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g7h3-4rff-4p2h",
+  "modified": "2025-11-11T09:30:30Z",
+  "published": "2025-11-11T09:30:30Z",
+  "aliases": [
+    "CVE-2025-8108"
+  ],
+  "details": "An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.axis.com/dam/public/38/20/aa/cve-2025-8108pdf-en-US-504218.pdf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-732"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T07:15:36Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-hpr3-4vvq-fj8x/GHSA-hpr3-4vvq-fj8x.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hpr3-4vvq-fj8x",
+  "modified": "2025-11-11T09:30:30Z",
+  "published": "2025-11-11T09:30:30Z",
+  "aliases": [
+    "CVE-2025-5317"
+  ],
+  "details": "An improper access restriction to a folder in Bitdefender Endpoint Security Tools for Mac (BEST) before 7.20.52.200087 allows local users with administrative privileges to bypass the configured uninstall password protection. An unauthorized user with sudo privileges can manually remove the application directory (/Applications/Endpoint Security for Mac.app/) and the related directories within /Library/Bitdefender/AVP without needing the uninstall password.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5317"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.bitdefender.com/support/security-advisories/improper-access-restriction-to-critical-folder-in-bitdefender-endpoint-security-tools-for-mac"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T08:15:34Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-hr8g-j9j3-47h8/GHSA-hr8g-j9j3-47h8.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hr8g-j9j3-47h8",
+  "modified": "2025-11-11T09:30:31Z",
+  "published": "2025-11-11T09:30:30Z",
+  "aliases": [
+    "CVE-2025-7429"
+  ],
+  "details": "Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7429"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7429.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-11T08:15:34Z"
+  }
+}