Publish Advisories

GHSA-hgch-f8pj-55cf
GHSA-hjpp-4hh8-vj87
GHSA-qwmp-482q-vqpm
GHSA-vgjw-r3pf-238c
GHSA-vj9r-pqp4-6mxr
GHSA-xc62-88x4-447w

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-hgch-f8pj-55cf/GHSA-hgch-f8pj-55cf.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hgch-f8pj-55cf",
+  "modified": "2025-12-28T21:30:25Z",
+  "published": "2025-12-28T21:30:24Z",
+  "aliases": [
+    "CVE-2025-15154"
+  ],
+  "details": "A security vulnerability has been detected in PbootCMS up to 3.2.12. The affected element is the function get_user_ip of the file core/function/handle.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to use of less trusted source. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15154"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/JyBNgF8JagWQ"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338532"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338532"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.719818"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-348"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T21:15:54Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-hjpp-4hh8-vj87/GHSA-hjpp-4hh8-vj87.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hjpp-4hh8-vj87",
+  "modified": "2025-12-28T21:30:24Z",
+  "published": "2025-12-28T21:30:24Z",
+  "aliases": [
+    "CVE-2025-15149"
+  ],
+  "details": "A vulnerability has been found in rawchen ecms up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. Affected by this vulnerability is the function updateProductServlet of the file src/servlet/product/updateProductServlet.java of the component Add New Product Page. The manipulation of the argument productName leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15149"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zyhzheng500-maker/cve/blob/main/%E5%AD%98%E5%82%A8%E5%9E%8BXss.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338526"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338526"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.716583"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T19:15:48Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-qwmp-482q-vqpm/GHSA-qwmp-482q-vqpm.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qwmp-482q-vqpm",
+  "modified": "2025-12-28T21:30:25Z",
+  "published": "2025-12-28T21:30:24Z",
+  "aliases": [
+    "CVE-2025-15152"
+  ],
+  "details": "A vulnerability was identified in h-moses moga-mall up to 392d631a5ef15962a9bddeeb9f1269b9085473fa. This vulnerability affects the function addProduct of the file src/main/java/com/ms/product/controller/PmsProductController.java. Such manipulation of the argument objectName leads to unrestricted upload. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15152"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zyhzheng500-maker/cve/blob/main/moga-mall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.721988"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T20:15:40Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-vgjw-r3pf-238c/GHSA-vgjw-r3pf-238c.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vgjw-r3pf-238c",
+  "modified": "2025-12-28T21:30:24Z",
+  "published": "2025-12-28T21:30:24Z",
+  "aliases": [
+    "CVE-2025-15150"
+  ],
+  "details": "A vulnerability was found in PX4 PX4-Autopilot up to 1.16.0. Affected by this issue is the function MavlinkLogHandler::state_listing/MavlinkLogHandler::log_entry_from_id of the file src/modules/mavlink/mavlink_log_handler.cpp. The manipulation results in stack-based buffer overflow. The attack is only possible with local access. The patch is identified as 338595edd1d235efd885fd5e9f45e7f9dcf4013d. It is best practice to apply a patch to resolve this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15150"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/PX4/PX4-Autopilot/issues/26118"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/PX4/PX4-Autopilot/pull/26124"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/PX4/PX4-Autopilot/pull/26124/commits/338595edd1d235efd885fd5e9f45e7f9dcf4013d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338527"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338527"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.717323"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T19:15:48Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-vj9r-pqp4-6mxr/GHSA-vj9r-pqp4-6mxr.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vj9r-pqp4-6mxr",
+  "modified": "2025-12-28T21:30:25Z",
+  "published": "2025-12-28T21:30:24Z",
+  "aliases": [
+    "CVE-2025-15153"
+  ],
+  "details": "A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be exploited. Modifying the configuration settings is advised.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15153"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/ALC1iSa8J56A"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338531"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338531"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.719814"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-425"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T21:15:54Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-xc62-88x4-447w/GHSA-xc62-88x4-447w.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xc62-88x4-447w",
+  "modified": "2025-12-28T21:30:24Z",
+  "published": "2025-12-28T21:30:24Z",
+  "aliases": [
+    "CVE-2025-15151"
+  ],
+  "details": "A vulnerability was determined in TaleLin Lin-CMS up to 0.6.0. This affects an unknown part of the file /tests/config.py of the component Tests Folder. This manipulation of the argument username/password causes password in configuration file. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15151"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/m3ngx1ng/cve/blob/4690d4020a4a642af4c50912f762937292228641/lin-cms.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338528"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338528"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.721893"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T20:15:40Z"
+  }
+}