From c9cddee40bf038f14ea264bd85a7f20ee6137871 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 12 May 2025 06:31:44 +0000 Subject: [PATCH] Publish Advisories GHSA-6gj4-63c6-7cg5 GHSA-8jr2-2fw4-33vm GHSA-f7g9-mhw7-w4wj GHSA-hhrx-pjm2-54m9 GHSA-qg79-8fm6-f6qw --- .../GHSA-6gj4-63c6-7cg5.json | 44 +++++++++++++++++++ .../GHSA-8jr2-2fw4-33vm.json | 44 +++++++++++++++++++ .../GHSA-f7g9-mhw7-w4wj.json | 29 ++++++++++++ .../GHSA-hhrx-pjm2-54m9.json | 29 ++++++++++++ .../GHSA-qg79-8fm6-f6qw.json | 6 ++- 5 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 advisories/unreviewed/2025/05/GHSA-6gj4-63c6-7cg5/GHSA-6gj4-63c6-7cg5.json create mode 100644 advisories/unreviewed/2025/05/GHSA-8jr2-2fw4-33vm/GHSA-8jr2-2fw4-33vm.json create mode 100644 advisories/unreviewed/2025/05/GHSA-f7g9-mhw7-w4wj/GHSA-f7g9-mhw7-w4wj.json create mode 100644 advisories/unreviewed/2025/05/GHSA-hhrx-pjm2-54m9/GHSA-hhrx-pjm2-54m9.json diff --git a/advisories/unreviewed/2025/05/GHSA-6gj4-63c6-7cg5/GHSA-6gj4-63c6-7cg5.json b/advisories/unreviewed/2025/05/GHSA-6gj4-63c6-7cg5/GHSA-6gj4-63c6-7cg5.json new file mode 100644 index 00000000000..7c9e22b6a76 --- /dev/null +++ b/advisories/unreviewed/2025/05/GHSA-6gj4-63c6-7cg5/GHSA-6gj4-63c6-7cg5.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6gj4-63c6-7cg5", + "modified": "2025-05-12T06:30:32Z", + "published": "2025-05-12T06:30:32Z", + "aliases": [ + "CVE-2025-4558" + ], + "details": "The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user's password and use the modified password to log into the system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4558" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-10115-f5f14-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-10114-10b4b-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-620" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-05-12T04:15:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/05/GHSA-8jr2-2fw4-33vm/GHSA-8jr2-2fw4-33vm.json b/advisories/unreviewed/2025/05/GHSA-8jr2-2fw4-33vm/GHSA-8jr2-2fw4-33vm.json new file mode 100644 index 00000000000..40518a93a15 --- /dev/null +++ b/advisories/unreviewed/2025/05/GHSA-8jr2-2fw4-33vm/GHSA-8jr2-2fw4-33vm.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8jr2-2fw4-33vm", + "modified": "2025-05-12T06:30:32Z", + "published": "2025-05-12T06:30:32Z", + "aliases": [ + "CVE-2025-4559" + ], + "details": "The ISOinsight from Netvision has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4559" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-10117-57344-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-10116-784e0-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-05-12T06:15:40Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/05/GHSA-f7g9-mhw7-w4wj/GHSA-f7g9-mhw7-w4wj.json b/advisories/unreviewed/2025/05/GHSA-f7g9-mhw7-w4wj/GHSA-f7g9-mhw7-w4wj.json new file mode 100644 index 00000000000..3209a20773d --- /dev/null +++ b/advisories/unreviewed/2025/05/GHSA-f7g9-mhw7-w4wj/GHSA-f7g9-mhw7-w4wj.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f7g9-mhw7-w4wj", + "modified": "2025-05-12T06:30:32Z", + "published": "2025-05-12T06:30:32Z", + "aliases": [ + "CVE-2025-3649" + ], + "details": "The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3649" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/37fb7f3b-1766-4c2c-9b78-f77f15a04476" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-05-12T06:15:40Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/05/GHSA-hhrx-pjm2-54m9/GHSA-hhrx-pjm2-54m9.json b/advisories/unreviewed/2025/05/GHSA-hhrx-pjm2-54m9/GHSA-hhrx-pjm2-54m9.json new file mode 100644 index 00000000000..9ee99dddbe2 --- /dev/null +++ b/advisories/unreviewed/2025/05/GHSA-hhrx-pjm2-54m9/GHSA-hhrx-pjm2-54m9.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hhrx-pjm2-54m9", + "modified": "2025-05-12T06:30:32Z", + "published": "2025-05-12T06:30:32Z", + "aliases": [ + "CVE-2025-3597" + ], + "details": "The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free version too, making it theoretically exploitable there as well.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3597" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/8bf5e107-6397-4946-aaee-bf61d3e2dffd" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-05-12T06:15:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/05/GHSA-qg79-8fm6-f6qw/GHSA-qg79-8fm6-f6qw.json b/advisories/unreviewed/2025/05/GHSA-qg79-8fm6-f6qw/GHSA-qg79-8fm6-f6qw.json index 00070b9a09d..170ecb9d50a 100644 --- a/advisories/unreviewed/2025/05/GHSA-qg79-8fm6-f6qw/GHSA-qg79-8fm6-f6qw.json +++ b/advisories/unreviewed/2025/05/GHSA-qg79-8fm6-f6qw/GHSA-qg79-8fm6-f6qw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qg79-8fm6-f6qw", - "modified": "2025-05-12T03:30:26Z", + "modified": "2025-05-12T06:30:32Z", "published": "2025-05-12T03:30:26Z", "aliases": [ "CVE-2025-4557" @@ -11,6 +11,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ], "affected": [],