diff --git a/advisories/unreviewed/2024/05/GHSA-4qq8-w3q5-56jf/GHSA-4qq8-w3q5-56jf.json b/advisories/unreviewed/2024/05/GHSA-4qq8-w3q5-56jf/GHSA-4qq8-w3q5-56jf.json index ad13ff68a1a..cf65e956eb8 100644 --- a/advisories/unreviewed/2024/05/GHSA-4qq8-w3q5-56jf/GHSA-4qq8-w3q5-56jf.json +++ b/advisories/unreviewed/2024/05/GHSA-4qq8-w3q5-56jf/GHSA-4qq8-w3q5-56jf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4qq8-w3q5-56jf", - "modified": "2024-08-15T18:31:43Z", + "modified": "2025-04-08T06:30:37Z", "published": "2024-05-31T06:30:28Z", "aliases": [ "CVE-2024-36246" @@ -26,6 +26,14 @@ { "type": "WEB", "url": "https://www.yrl.com/fwp_support/info/khvu7f00000000q7.html" + }, + { + "type": "WEB", + "url": "https://www.yrl.com/fwp_support/info/khvu7f00000007j8.html" + }, + { + "type": "WEB", + "url": "https://www.yrl.com/fwp_support/info/khvu7f0000000auf.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/05/GHSA-w2mp-xqqj-8v36/GHSA-w2mp-xqqj-8v36.json b/advisories/unreviewed/2024/05/GHSA-w2mp-xqqj-8v36/GHSA-w2mp-xqqj-8v36.json index d7ac590e1ad..ecc8b08bcbf 100644 --- a/advisories/unreviewed/2024/05/GHSA-w2mp-xqqj-8v36/GHSA-w2mp-xqqj-8v36.json +++ b/advisories/unreviewed/2024/05/GHSA-w2mp-xqqj-8v36/GHSA-w2mp-xqqj-8v36.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w2mp-xqqj-8v36", - "modified": "2024-07-03T18:43:54Z", + "modified": "2025-04-08T06:30:36Z", "published": "2024-05-31T06:30:27Z", "aliases": [ "CVE-2024-23847" @@ -26,6 +26,14 @@ { "type": "WEB", "url": "https://www.yrl.com/fwp_support/info/khvu7f00000000q7.html" + }, + { + "type": "WEB", + "url": "https://www.yrl.com/fwp_support/info/khvu7f00000007j8.html" + }, + { + "type": "WEB", + "url": "https://www.yrl.com/fwp_support/info/khvu7f0000000auf.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/03/GHSA-33fh-4pvq-9x35/GHSA-33fh-4pvq-9x35.json b/advisories/unreviewed/2025/03/GHSA-33fh-4pvq-9x35/GHSA-33fh-4pvq-9x35.json index 3bbf0db3c06..c9e8c7b1e96 100644 --- a/advisories/unreviewed/2025/03/GHSA-33fh-4pvq-9x35/GHSA-33fh-4pvq-9x35.json +++ b/advisories/unreviewed/2025/03/GHSA-33fh-4pvq-9x35/GHSA-33fh-4pvq-9x35.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-33fh-4pvq-9x35", - "modified": "2025-04-08T03:32:36Z", + "modified": "2025-04-08T06:30:37Z", "published": "2025-03-18T18:30:50Z", "aliases": [ "CVE-2025-2487" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2487" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:3663" + }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2025:3670" diff --git a/advisories/unreviewed/2025/04/GHSA-294x-x7jx-8864/GHSA-294x-x7jx-8864.json b/advisories/unreviewed/2025/04/GHSA-294x-x7jx-8864/GHSA-294x-x7jx-8864.json new file mode 100644 index 00000000000..c3aa842d649 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-294x-x7jx-8864/GHSA-294x-x7jx-8864.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-294x-x7jx-8864", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-0361" + ], + "details": "During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed for unauthenticated username enumeration through the VAPIX Device Configuration SSH Management API.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0361" + }, + { + "type": "WEB", + "url": "https://www.axis.com/dam/public/f4/9b/13/cve-2025-0361pdf-en-US-474511.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-203" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T06:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-355w-v9ph-gc4h/GHSA-355w-v9ph-gc4h.json b/advisories/unreviewed/2025/04/GHSA-355w-v9ph-gc4h/GHSA-355w-v9ph-gc4h.json new file mode 100644 index 00000000000..c948f88787a --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-355w-v9ph-gc4h/GHSA-355w-v9ph-gc4h.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-355w-v9ph-gc4h", + "modified": "2025-04-08T06:30:39Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20938" + ], + "details": "Improper access control in SamsungContacts prior to SMR Apr-2025 Release 1 allows local attackers to access protected data in SamsungContacts.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20938" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-369j-gmrm-fw78/GHSA-369j-gmrm-fw78.json b/advisories/unreviewed/2025/04/GHSA-369j-gmrm-fw78/GHSA-369j-gmrm-fw78.json new file mode 100644 index 00000000000..736635f68f9 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-369j-gmrm-fw78/GHSA-369j-gmrm-fw78.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-369j-gmrm-fw78", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-3413" + ], + "details": "A vulnerability has been found in opplus springboot-admin up to a2d5310f44fd46780a8686456cf2f9001ab8f024 and classified as critical. Affected by this vulnerability is the function code of the file SysGeneratorController.java. The manipulation of the argument Tables leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3413" + }, + { + "type": "WEB", + "url": "https://github.com/mapl3miss/Vul/blob/main/Vul.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.303691" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.303691" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.545374" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T06:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-535p-c89j-pqj5/GHSA-535p-c89j-pqj5.json b/advisories/unreviewed/2025/04/GHSA-535p-c89j-pqj5/GHSA-535p-c89j-pqj5.json new file mode 100644 index 00000000000..b04481e8e8e --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-535p-c89j-pqj5/GHSA-535p-c89j-pqj5.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-535p-c89j-pqj5", + "modified": "2025-04-08T06:30:39Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20945" + ], + "details": "Improper access control in Galaxy Watch prior to SMR Apr-2025 Release 1 allows local attackers to access sensitive information of Galaxy watch.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20945" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-53wr-h738-wq84/GHSA-53wr-h738-wq84.json b/advisories/unreviewed/2025/04/GHSA-53wr-h738-wq84/GHSA-53wr-h738-wq84.json new file mode 100644 index 00000000000..abfdce180a2 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-53wr-h738-wq84/GHSA-53wr-h738-wq84.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-53wr-h738-wq84", + "modified": "2025-04-08T06:30:38Z", + "published": "2025-04-08T06:30:38Z", + "aliases": [ + "CVE-2025-3407" + ], + "details": "A vulnerability was found in Nothings stb up to f056911. It has been declared as critical. Affected by this vulnerability is the function stbhw_build_tileset_from_image. The manipulation of the argument h_count/v_count leads to out-of-bounds read. The attack can be launched remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3407" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.303685" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.303685" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.544227" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T04:15:31Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-6853-8846-j885/GHSA-6853-8846-j885.json b/advisories/unreviewed/2025/04/GHSA-6853-8846-j885/GHSA-6853-8846-j885.json new file mode 100644 index 00000000000..520bc334189 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-6853-8846-j885/GHSA-6853-8846-j885.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6853-8846-j885", + "modified": "2025-04-08T06:30:39Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20935" + ], + "details": "Improper handling of insufficient permission or privileges in ClipboardService prior to SMR Apr-2025 Release 1 allows local attackers to access files with system privilege. User interaction is required for triggering this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20935" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-69p9-7943-9qhx/GHSA-69p9-7943-9qhx.json b/advisories/unreviewed/2025/04/GHSA-69p9-7943-9qhx/GHSA-69p9-7943-9qhx.json new file mode 100644 index 00000000000..9dde72d2be0 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-69p9-7943-9qhx/GHSA-69p9-7943-9qhx.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-69p9-7943-9qhx", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-3409" + ], + "details": "A vulnerability classified as critical has been found in Nothings stb up to f056911. This affects the function stb_include_string. The manipulation of the argument path_to_includes leads to stack-based buffer overflow. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3409" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.303687" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.303687" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.544231" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:40Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-69q6-wh98-33qx/GHSA-69q6-wh98-33qx.json b/advisories/unreviewed/2025/04/GHSA-69q6-wh98-33qx/GHSA-69q6-wh98-33qx.json new file mode 100644 index 00000000000..dce8d68c39f --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-69q6-wh98-33qx/GHSA-69q6-wh98-33qx.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-69q6-wh98-33qx", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-3412" + ], + "details": "A vulnerability, which was classified as critical, was found in mymagicpower AIAS 20250308. Affected is an unknown function of the file 2_training_platform/train-platform/src/main/java/top/aias/training/controller/InferController.java. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3412" + }, + { + "type": "WEB", + "url": "https://github.com/Tr0e/CVE_Hunter/blob/main/AIAS/AIAS_SSRF2.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.303690" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.303690" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.544289" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T06:15:44Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-7249-98jq-4p25/GHSA-7249-98jq-4p25.json b/advisories/unreviewed/2025/04/GHSA-7249-98jq-4p25/GHSA-7249-98jq-4p25.json new file mode 100644 index 00000000000..5dbd411af17 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-7249-98jq-4p25/GHSA-7249-98jq-4p25.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7249-98jq-4p25", + "modified": "2025-04-08T06:30:38Z", + "published": "2025-04-08T06:30:38Z", + "aliases": [ + "CVE-2025-3406" + ], + "details": "A vulnerability was found in Nothings stb up to f056911. It has been classified as problematic. Affected is the function stbhw_build_tileset_from_image of the component Header Array Handler. The manipulation of the argument w leads to out-of-bounds read. It is possible to launch the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3406" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.303684" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.303684" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.544226" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T04:15:31Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-85r7-qj2g-694p/GHSA-85r7-qj2g-694p.json b/advisories/unreviewed/2025/04/GHSA-85r7-qj2g-694p/GHSA-85r7-qj2g-694p.json new file mode 100644 index 00000000000..7a08a4bf33d --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-85r7-qj2g-694p/GHSA-85r7-qj2g-694p.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-85r7-qj2g-694p", + "modified": "2025-04-08T06:30:39Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20942" + ], + "details": "Improper Verification of Intent by Broadcast Receiver in DeviceIdService prior to SMR Apr-2025 Release 1 allows local attackers to reset OAID.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20942" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-95xh-x8h9-w4qm/GHSA-95xh-x8h9-w4qm.json b/advisories/unreviewed/2025/04/GHSA-95xh-x8h9-w4qm/GHSA-95xh-x8h9-w4qm.json new file mode 100644 index 00000000000..f8f744667c6 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-95xh-x8h9-w4qm/GHSA-95xh-x8h9-w4qm.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-95xh-x8h9-w4qm", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-20947" + ], + "details": "Improper handling of insufficient permission or privileges in ClipboardService prior to SMR Apr-2025 Release 1 allows local attackers to access image files across multiple users. User interaction is required for triggering this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20947" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-9p3c-x238-grgc/GHSA-9p3c-x238-grgc.json b/advisories/unreviewed/2025/04/GHSA-9p3c-x238-grgc/GHSA-9p3c-x238-grgc.json new file mode 100644 index 00000000000..9211ed15000 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-9p3c-x238-grgc/GHSA-9p3c-x238-grgc.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9p3c-x238-grgc", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-2004" + ], + "details": "The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2004" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/simple-wp-events/trunk/admin/includes/wp-events-export-events.php#L399" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/abdca93e-f68d-4a96-8bd7-443ee46ccb5a?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-73" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-9xpj-6p26-cwqj/GHSA-9xpj-6p26-cwqj.json b/advisories/unreviewed/2025/04/GHSA-9xpj-6p26-cwqj/GHSA-9xpj-6p26-cwqj.json new file mode 100644 index 00000000000..a4a44320fe1 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-9xpj-6p26-cwqj/GHSA-9xpj-6p26-cwqj.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9xpj-6p26-cwqj", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20944" + ], + "details": "Out-of-bounds read in parsing audio data in libsavsac.so prior to SMR Apr-2025 Release 1 allows local attackers to read out-of-bounds memory.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20944" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-c8pp-hw6h-x368/GHSA-c8pp-hw6h-x368.json b/advisories/unreviewed/2025/04/GHSA-c8pp-hw6h-x368/GHSA-c8pp-hw6h-x368.json new file mode 100644 index 00000000000..d50000d8c07 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-c8pp-hw6h-x368/GHSA-c8pp-hw6h-x368.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c8pp-hw6h-x368", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-20946" + ], + "details": "Improper handling of exceptional conditions in pairing specific bluetooth devices in Galaxy Watch Bluetooth pairing prior to SMR Apr-2025 Release 1 allows local attackers to pair with specific bluetooth devices without user interaction.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20946" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-f2pr-mh68-xp6p/GHSA-f2pr-mh68-xp6p.json b/advisories/unreviewed/2025/04/GHSA-f2pr-mh68-xp6p/GHSA-f2pr-mh68-xp6p.json new file mode 100644 index 00000000000..a0988b2a607 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-f2pr-mh68-xp6p/GHSA-f2pr-mh68-xp6p.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f2pr-mh68-xp6p", + "modified": "2025-04-08T06:30:39Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20943" + ], + "details": "Out-of-bounds write in secfr trustlet prior to SMR Apr-2025 Release 1 allows local privileged attackers to cause memory corruption.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20943" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-f59c-7r8p-q47f/GHSA-f59c-7r8p-q47f.json b/advisories/unreviewed/2025/04/GHSA-f59c-7r8p-q47f/GHSA-f59c-7r8p-q47f.json new file mode 100644 index 00000000000..fa37bf6d265 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-f59c-7r8p-q47f/GHSA-f59c-7r8p-q47f.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f59c-7r8p-q47f", + "modified": "2025-04-08T06:30:39Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20940" + ], + "details": "Improper handling of insufficient permission in Samsung Device Health Manager Service prior to SMR Apr-2025 Release 1 allows local attackers to access provider in SDMHS.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20940" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-f6xw-xqhc-gwg3/GHSA-f6xw-xqhc-gwg3.json b/advisories/unreviewed/2025/04/GHSA-f6xw-xqhc-gwg3/GHSA-f6xw-xqhc-gwg3.json new file mode 100644 index 00000000000..7f4c991a698 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-f6xw-xqhc-gwg3/GHSA-f6xw-xqhc-gwg3.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f6xw-xqhc-gwg3", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2024-47261" + ], + "details": "51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47261" + }, + { + "type": "WEB", + "url": "https://www.axis.com/dam/public/18/c5/b2/cve-2024-47261pdf-en-US-474505.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1287" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T06:15:43Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-fp5g-w23g-5r66/GHSA-fp5g-w23g-5r66.json b/advisories/unreviewed/2025/04/GHSA-fp5g-w23g-5r66/GHSA-fp5g-w23g-5r66.json new file mode 100644 index 00000000000..442323c3c91 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-fp5g-w23g-5r66/GHSA-fp5g-w23g-5r66.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fp5g-w23g-5r66", + "modified": "2025-04-08T06:30:38Z", + "published": "2025-04-08T06:30:38Z", + "aliases": [ + "CVE-2024-13820" + ], + "details": "The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.9 via the 'run' function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information, plugin tokens, shipping configurations, and limited vendor information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13820" + }, + { + "type": "WEB", + "url": "https://github.com/melhorenvio/wp-melhorenvio-v2/blob/6e2f5bb01c536df9fc84534eb8a27ec99d9601af/Services/TestService.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/melhor-envio-cotacao/trunk/Services/TestService.php#L20" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/melhor-envio-cotacao/trunk/Services/TestService.php#L30" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8f093bc-5cd3-41a0-b86b-d00338334d2e?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-fr9r-mwp9-h3cg/GHSA-fr9r-mwp9-h3cg.json b/advisories/unreviewed/2025/04/GHSA-fr9r-mwp9-h3cg/GHSA-fr9r-mwp9-h3cg.json new file mode 100644 index 00000000000..c785c617bf3 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-fr9r-mwp9-h3cg/GHSA-fr9r-mwp9-h3cg.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fr9r-mwp9-h3cg", + "modified": "2025-04-08T06:30:38Z", + "published": "2025-04-08T06:30:38Z", + "aliases": [ + "CVE-2025-20934" + ], + "details": "Improper access control in Sticker Center prior to SMR Apr-2025 Release 1 allows local attackers to access image files with system privilege.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20934" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-h477-9mjj-79jx/GHSA-h477-9mjj-79jx.json b/advisories/unreviewed/2025/04/GHSA-h477-9mjj-79jx/GHSA-h477-9mjj-79jx.json new file mode 100644 index 00000000000..d2d48c68753 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-h477-9mjj-79jx/GHSA-h477-9mjj-79jx.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h477-9mjj-79jx", + "modified": "2025-04-08T06:30:39Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20939" + ], + "details": "Improper authorization in wireless download protocol in Galaxy Watch prior to SMR Apr-2025 Release 1 allows physical attackers to update device unique identifier of Watch devices.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20939" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-jfjp-pcc3-pr3f/GHSA-jfjp-pcc3-pr3f.json b/advisories/unreviewed/2025/04/GHSA-jfjp-pcc3-pr3f/GHSA-jfjp-pcc3-pr3f.json new file mode 100644 index 00000000000..192f63f068a --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-jfjp-pcc3-pr3f/GHSA-jfjp-pcc3-pr3f.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jfjp-pcc3-pr3f", + "modified": "2025-04-08T06:30:38Z", + "published": "2025-04-08T06:30:38Z", + "aliases": [ + "CVE-2025-3408" + ], + "details": "A vulnerability was found in Nothings stb up to f056911. It has been rated as critical. Affected by this issue is the function stb_dupreplace. The manipulation leads to integer overflow. The attack may be launched remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3408" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.303686" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.303686" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.544230" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T04:15:32Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-m2p7-7xpw-vf3v/GHSA-m2p7-7xpw-vf3v.json b/advisories/unreviewed/2025/04/GHSA-m2p7-7xpw-vf3v/GHSA-m2p7-7xpw-vf3v.json new file mode 100644 index 00000000000..0d16b78f83a --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-m2p7-7xpw-vf3v/GHSA-m2p7-7xpw-vf3v.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m2p7-7xpw-vf3v", + "modified": "2025-04-08T06:30:38Z", + "published": "2025-04-08T06:30:38Z", + "aliases": [ + "CVE-2025-3405" + ], + "details": "A vulnerability was found in FCJ Venture Builder appclientefiel 3.0.27. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /rest/cliente/ObterPedido/ of the component HTTP GET Request Handler. The manipulation of the argument ORDER_ID leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3405" + }, + { + "type": "WEB", + "url": "https://drive.google.com/file/d/1yhZiKFX0avpLDsYDlbnmmkTk4XTY8Y2h/view" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.303649" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.303649" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.544136" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-99" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T04:15:31Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-qqw6-6jj8-mcrc/GHSA-qqw6-6jj8-mcrc.json b/advisories/unreviewed/2025/04/GHSA-qqw6-6jj8-mcrc/GHSA-qqw6-6jj8-mcrc.json new file mode 100644 index 00000000000..2dfec8be24b --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-qqw6-6jj8-mcrc/GHSA-qqw6-6jj8-mcrc.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qqw6-6jj8-mcrc", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-20948" + ], + "details": "Out-of-bounds read in enrollment with cdsp frame secfr trustlet prior to SMR Apr-2025 Release 1 allows local privileged attackers to read out-of-bounds memory.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20948" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-vxqq-2372-8qpx/GHSA-vxqq-2372-8qpx.json b/advisories/unreviewed/2025/04/GHSA-vxqq-2372-8qpx/GHSA-vxqq-2372-8qpx.json new file mode 100644 index 00000000000..4641940d11a --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-vxqq-2372-8qpx/GHSA-vxqq-2372-8qpx.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vxqq-2372-8qpx", + "modified": "2025-04-08T06:30:41Z", + "published": "2025-04-08T06:30:41Z", + "aliases": [ + "CVE-2025-3411" + ], + "details": "A vulnerability, which was classified as critical, has been found in mymagicpower AIAS 20250308. This issue affects some unknown processing of the file 3_api_platform/api-platform/src/main/java/top/aias/platform/controller/AsrController.java. The manipulation of the argument url leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3411" + }, + { + "type": "WEB", + "url": "https://github.com/Tr0e/CVE_Hunter/blob/main/AIAS/AIAS_SSRF1.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.303689" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.303689" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.544288" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:40Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-w2g9-r42v-245f/GHSA-w2g9-r42v-245f.json b/advisories/unreviewed/2025/04/GHSA-w2g9-r42v-245f/GHSA-w2g9-r42v-245f.json new file mode 100644 index 00000000000..07c865b2388 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-w2g9-r42v-245f/GHSA-w2g9-r42v-245f.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w2g9-r42v-245f", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-20950" + ], + "details": "Use of implicit intent for sensitive communication in SamsungNotes prior to version 4.4.26.45 allows local attackers to access sensitive information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20950" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-w3fg-4j37-7mcw/GHSA-w3fg-4j37-7mcw.json b/advisories/unreviewed/2025/04/GHSA-w3fg-4j37-7mcw/GHSA-w3fg-4j37-7mcw.json new file mode 100644 index 00000000000..d928bb517ee --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-w3fg-4j37-7mcw/GHSA-w3fg-4j37-7mcw.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w3fg-4j37-7mcw", + "modified": "2025-04-08T06:30:39Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20936" + ], + "details": "Improper access control in HDCP trustlet prior to SMR Apr-2025 Release 1 allows local attackers with shell privilege to escalate their privileges to root.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20936" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-w5jv-4chj-9gqx/GHSA-w5jv-4chj-9gqx.json b/advisories/unreviewed/2025/04/GHSA-w5jv-4chj-9gqx/GHSA-w5jv-4chj-9gqx.json new file mode 100644 index 00000000000..eb485e9c386 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-w5jv-4chj-9gqx/GHSA-w5jv-4chj-9gqx.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w5jv-4chj-9gqx", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-20951" + ], + "details": "Improper verification of intent by broadcast receiver vulnerability in Galaxy Store prior to version 4.5.90.7 allows local attackers to write arbitrary files with the privilege of Galaxy Store.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20951" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-x52x-5cp7-6868/GHSA-x52x-5cp7-6868.json b/advisories/unreviewed/2025/04/GHSA-x52x-5cp7-6868/GHSA-x52x-5cp7-6868.json new file mode 100644 index 00000000000..bbf7c7077a3 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-x52x-5cp7-6868/GHSA-x52x-5cp7-6868.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x52x-5cp7-6868", + "modified": "2025-04-08T06:30:39Z", + "published": "2025-04-08T06:30:39Z", + "aliases": [ + "CVE-2025-20941" + ], + "details": "Improper access control in InputManager to SMR Apr-2025 Release 1 allows local attackers to access the scancode of specific input device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20941" + }, + { + "type": "WEB", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2025/04/GHSA-xv36-fxmx-5mpc/GHSA-xv36-fxmx-5mpc.json b/advisories/unreviewed/2025/04/GHSA-xv36-fxmx-5mpc/GHSA-xv36-fxmx-5mpc.json new file mode 100644 index 00000000000..8b474158948 --- /dev/null +++ b/advisories/unreviewed/2025/04/GHSA-xv36-fxmx-5mpc/GHSA-xv36-fxmx-5mpc.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xv36-fxmx-5mpc", + "modified": "2025-04-08T06:30:40Z", + "published": "2025-04-08T06:30:40Z", + "aliases": [ + "CVE-2025-3410" + ], + "details": "A vulnerability classified as critical was found in mymagicpower AIAS 20250308. This vulnerability affects unknown code of the file training_platform/train-platform/src/main/java/top/aias/training/controller/LocalStorageController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3410" + }, + { + "type": "WEB", + "url": "https://github.com/Tr0e/CVE_Hunter/blob/main/AIAS/AIAS_RCE.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.303688" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.303688" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.544243" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2025-04-08T05:15:40Z" + } +} \ No newline at end of file