Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 2faefd64be07 · 2025-12-28T18:32:33.000Z
GHSA-3h7r-f34v-h2h3 GHSA-6w66-j7h2-8jjr GHSA-8jc6-q7jq-r8wg GHSA-m496-m5ff-4j4p GHSA-pj23-86ww-f72p GHSA-q6cr-5pc5-4693 GHSA-v539-hv42-wghc
diff --git a/advisories/unreviewed/2025/12/GHSA-3h7r-f34v-h2h3/GHSA-3h7r-f34v-h2h3.json b/advisories/unreviewed/2025/12/GHSA-3h7r-f34v-h2h3/GHSA-3h7r-f34v-h2h3.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3h7r-f34v-h2h3",
+  "modified": "2025-12-28T18:30:26Z",
+  "published": "2025-12-28T18:30:26Z",
+  "aliases": [
+    "CVE-2025-15142"
+  ],
+  "details": "A vulnerability was identified in 9786 phpok3w up to 901d96a06809fb28b17f3a4362c59e70411c933c. Impacted is an unknown function of the file show.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15142"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitee.com/9786/phpok3w/issues/IDD1IZ"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338520"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338520"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.715574"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T16:15:50Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-6w66-j7h2-8jjr/GHSA-6w66-j7h2-8jjr.json b/advisories/unreviewed/2025/12/GHSA-6w66-j7h2-8jjr/GHSA-6w66-j7h2-8jjr.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6w66-j7h2-8jjr",
+  "modified": "2025-12-28T18:30:26Z",
+  "published": "2025-12-28T18:30:26Z",
+  "aliases": [
+    "CVE-2025-15143"
+  ],
+  "details": "A security flaw has been discovered in EyouCMS up to 1.7.6. The affected element is an unknown function of the file /application/admin/logic/FilemanagerLogic.php of the component Backend Template Management. The manipulation of the argument content results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15143"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/XfINjg5i25Ud"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338521"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338521"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.716078"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T16:15:51Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-8jc6-q7jq-r8wg/GHSA-8jc6-q7jq-r8wg.json b/advisories/unreviewed/2025/12/GHSA-8jc6-q7jq-r8wg/GHSA-8jc6-q7jq-r8wg.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8jc6-q7jq-r8wg",
+  "modified": "2025-12-28T18:30:26Z",
+  "published": "2025-12-28T18:30:26Z",
+  "aliases": [
+    "CVE-2025-15146"
+  ],
+  "details": "A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This impacts the function doUserList of the file src/main/java/com/sohu/cache/web/controller/UserManageController.java. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15146"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sohutv/cachecloud/issues/366"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sohutv/cachecloud/issues/366#issue-3733542570"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338524"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338524"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.716302"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T18:15:47Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-m496-m5ff-4j4p/GHSA-m496-m5ff-4j4p.json b/advisories/unreviewed/2025/12/GHSA-m496-m5ff-4j4p/GHSA-m496-m5ff-4j4p.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m496-m5ff-4j4p",
+  "modified": "2025-12-28T18:30:27Z",
+  "published": "2025-12-28T18:30:27Z",
+  "aliases": [
+    "CVE-2025-15148"
+  ],
+  "details": "A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15148"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/msJH69Y06ZlS"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338525"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338525"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.716303"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T18:15:47Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-pj23-86ww-f72p/GHSA-pj23-86ww-f72p.json b/advisories/unreviewed/2025/12/GHSA-pj23-86ww-f72p/GHSA-pj23-86ww-f72p.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pj23-86ww-f72p",
+  "modified": "2025-12-28T18:30:26Z",
+  "published": "2025-12-28T18:30:26Z",
+  "aliases": [
+    "CVE-2025-68973"
+  ],
+  "details": "In GnuPG through 2.4.8, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68973"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gpg/gnupg/blob/ff30683418695f5d2cc9e6cf8c9418e09378ebe4/g10/armor.c#L1305-L1306"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gpg.fail/memcpy"
+    },
+    {
+      "type": "WEB",
+      "url": "https://news.ycombinator.com/item?id=46403200"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2025/12/28/5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-675"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T17:16:01Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-q6cr-5pc5-4693/GHSA-q6cr-5pc5-4693.json b/advisories/unreviewed/2025/12/GHSA-q6cr-5pc5-4693/GHSA-q6cr-5pc5-4693.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q6cr-5pc5-4693",
+  "modified": "2025-12-28T18:30:26Z",
+  "published": "2025-12-28T18:30:26Z",
+  "aliases": [
+    "CVE-2025-15145"
+  ],
+  "details": "A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. This affects the function doTotalList of the file src/main/java/com/sohu/cache/web/controller/TotalManageController.java. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15145"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sohutv/cachecloud/issues/365"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sohutv/cachecloud/issues/365#issue-3733522215"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338523"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338523"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.716301"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T17:16:01Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/12/GHSA-v539-hv42-wghc/GHSA-v539-hv42-wghc.json b/advisories/unreviewed/2025/12/GHSA-v539-hv42-wghc/GHSA-v539-hv42-wghc.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v539-hv42-wghc",
+  "modified": "2025-12-28T18:30:26Z",
+  "published": "2025-12-28T18:30:26Z",
+  "aliases": [
+    "CVE-2025-15144"
+  ],
+  "details": "A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function dr_show_error/dr_exit_msg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15144"
+    },
+    {
+      "type": "WEB",
+      "url": "https://note-hxlab.wetolink.com/share/gbCf35DJ3los"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.338522"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.338522"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.716122"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-28T17:16:00Z"
+  }
+}
