Publish Advisories

GHSA-6gj4-63c6-7cg5 GHSA-8jr2-2fw4-33vm GHSA-f7g9-mhw7-w4wj GHSA-hhrx-pjm2-54m9 GHSA-qg79-8fm6-f6qw
2026-05-22 18:04:22 -07:00 · 2025-05-12 06:31:44 +00:00
parent e8e6b66f15
commit c9cddee40b
5 changed files with 151 additions and 1 deletions
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6gj4-63c6-7cg5",
+  "modified": "2025-05-12T06:30:32Z",
+  "published": "2025-05-12T06:30:32Z",
+  "aliases": [
+    "CVE-2025-4558"
+  ],
+  "details": "The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user's password and use the modified password to log into the system.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4558"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10115-f5f14-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10114-10b4b-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-620"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-12T04:15:35Z"
+  }
+}
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8jr2-2fw4-33vm",
+  "modified": "2025-05-12T06:30:32Z",
+  "published": "2025-05-12T06:30:32Z",
+  "aliases": [
+    "CVE-2025-4559"
+  ],
+  "details": "The ISOinsight from Netvision has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4559"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10117-57344-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10116-784e0-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-12T06:15:40Z"
+  }
+}
@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f7g9-mhw7-w4wj",
+  "modified": "2025-05-12T06:30:32Z",
+  "published": "2025-05-12T06:30:32Z",
+  "aliases": [
+    "CVE-2025-3649"
+  ],
+  "details": "The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3649"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/37fb7f3b-1766-4c2c-9b78-f77f15a04476"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-12T06:15:40Z"
+  }
+}
@@ -0,0 +1,29 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hhrx-pjm2-54m9",
+  "modified": "2025-05-12T06:30:32Z",
+  "published": "2025-05-12T06:30:32Z",
+  "aliases": [
+    "CVE-2025-3597"
+  ],
+  "details": "The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free version too, making it theoretically exploitable there as well.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3597"
+    },
+    {
+      "type": "WEB",
+      "url": "https://wpscan.com/vulnerability/8bf5e107-6397-4946-aaee-bf61d3e2dffd"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-12T06:15:39Z"
+  }
+}
@@ -1,7 +1,7 @@
 {
  "schema_version": "1.4.0",
  "id": "GHSA-qg79-8fm6-f6qw",
-  "modified": "2025-05-12T03:30:26Z",
+  "modified": "2025-05-12T06:30:32Z",
  "published": "2025-05-12T03:30:26Z",
  "aliases": [
    "CVE-2025-4557"
@@ -11,6 +11,10 @@
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
    }
  ],
  "affected": [],