Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/06/GHSA-8x66-x5gf-2pc8/GHSA-8x66-x5gf-2pc8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8x66-x5gf-2pc8",
-  "modified": "2025-06-23T21:31:49Z",
+  "modified": "2025-12-09T21:31:29Z",
   "published": "2025-06-23T21:31:49Z",
   "aliases": [
     "CVE-2025-6218"
@@ -19,6 +19,18 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6218"
     },
+    {
+      "type": "WEB",
+      "url": "https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6218"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.secpod.com/blog/archive-terror-dissecting-the-winrar-cve-2025-6218-exploit-apt-c-08s-stealth-move"
+    },
     {
       "type": "WEB",
       "url": "https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6"

advisories/unreviewed/2025/12/GHSA-2w86-r6rm-76wr/GHSA-2w86-r6rm-76wr.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2w86-r6rm-76wr",
-  "modified": "2025-12-09T18:30:43Z",
+  "modified": "2025-12-09T21:31:42Z",
   "published": "2025-12-09T18:30:43Z",
   "aliases": [
     "CVE-2025-67567"
   ],
   "details": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in uixthemes Sober sober allows Retrieve Embedded Sensitive Data.This issue affects Sober: from n/a through <= 3.5.11.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-497"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-09T16:18:33Z"

advisories/unreviewed/2025/12/GHSA-2wqc-47g4-pm22/GHSA-2wqc-47g4-pm22.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2wqc-47g4-pm22",
-  "modified": "2025-12-09T18:30:42Z",
+  "modified": "2025-12-09T21:31:41Z",
   "published": "2025-12-09T18:30:42Z",
   "aliases": [
     "CVE-2025-67543"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Catch Themes Essential Widgets essential-widgets allows Stored XSS.This issue affects Essential Widgets: from n/a through <= 2.2.2.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-09T16:18:29Z"

advisories/unreviewed/2025/12/GHSA-34w2-vr99-v872/GHSA-34w2-vr99-v872.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-34w2-vr99-v872",
-  "modified": "2025-12-09T18:30:45Z",
+  "modified": "2025-12-09T21:31:43Z",
   "published": "2025-12-09T18:30:45Z",
   "aliases": [
     "CVE-2025-34409"
   ],
   "details": "MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Failed parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Failed value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of existing markup and inject arbitrary script. A remote attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/12/GHSA-3jvf-36wg-6h35/GHSA-3jvf-36wg-6h35.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3jvf-36wg-6h35",
-  "modified": "2025-12-09T18:30:45Z",
+  "modified": "2025-12-09T21:31:43Z",
   "published": "2025-12-09T18:30:45Z",
   "aliases": [
     "CVE-2025-34408"
   ],
   "details": "MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Added parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Added value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of existing markup and inject arbitrary script. A remote attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/12/GHSA-3rfh-phff-7g8v/GHSA-3rfh-phff-7g8v.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3rfh-phff-7g8v",
+  "modified": "2025-12-09T21:31:48Z",
+  "published": "2025-12-09T21:31:48Z",
+  "aliases": [
+    "CVE-2021-47701"
+  ],
+  "details": "OpenBMCS 2.4 allows an attacker to escalate privileges from a read user to an admin user by manipulating permissions and exploiting a vulnerability in the update_user_permissions.php script.  Attackers can submit a malicious HTTP POST request to PHP scripts in '/plugins/useradmin/' directory.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47701"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/50669"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openbmcs-user-management-privilege-escalation"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-09T21:15:47Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-49v5-397q-f66m/GHSA-49v5-397q-f66m.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-49v5-397q-f66m",
+  "modified": "2025-12-09T21:31:46Z",
+  "published": "2025-12-09T21:31:46Z",
+  "aliases": [
+    "CVE-2025-14335"
+  ],
+  "details": "A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /new_school_year.php. The manipulation of the argument sy leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14335"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ltranquility/CVE/issues/20"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.335160"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.335160"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.702743"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-09T19:15:48Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-4mpp-3xgq-2qwv/GHSA-4mpp-3xgq-2qwv.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4mpp-3xgq-2qwv",
-  "modified": "2025-12-09T18:30:44Z",
+  "modified": "2025-12-09T21:31:43Z",
   "published": "2025-12-09T18:30:44Z",
   "aliases": [
     "CVE-2025-12945"
@@ -19,6 +19,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12945"
     },
+    {
+      "type": "WEB",
+      "url": "https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory"
+    },
     {
       "type": "WEB",
       "url": "https://www.netgear.com/support/product/r7000p"

advisories/unreviewed/2025/12/GHSA-4p2g-f3r4-m384/GHSA-4p2g-f3r4-m384.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4p2g-f3r4-m384",
-  "modified": "2025-12-09T18:30:39Z",
+  "modified": "2025-12-09T21:31:38Z",
   "published": "2025-12-09T18:30:39Z",
   "aliases": [
     "CVE-2025-63048"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows DOM-Based XSS.This issue affects ListingPro Lead Form: from n/a through <= 1.0.2.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-09T16:18:10Z"

advisories/unreviewed/2025/12/GHSA-4w7v-fjhh-9j2h/GHSA-4w7v-fjhh-9j2h.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4w7v-fjhh-9j2h",
-  "modified": "2025-12-09T18:30:39Z",
+  "modified": "2025-12-09T21:31:38Z",
   "published": "2025-12-09T18:30:39Z",
   "aliases": [
     "CVE-2025-63044"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows DOM-Based XSS.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-12-09T16:18:09Z"