Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2022/05/GHSA-887v-xh2x-47cm/GHSA-887v-xh2x-47cm.json

@@ -0,0 +1,111 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-887v-xh2x-47cm",
+  "modified": "2026-01-12T18:30:08Z",
+  "published": "2022-05-24T17:21:05Z",
+  "aliases": [
+    "CVE-2017-18893"
+  ],
+  "summary": "Mattermost Server is vulnerable to XSS through display name field",
+  "details": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.1.0"
+            },
+            {
+              "fixed": "4.1.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.2.0-rc1"
+            },
+            {
+              "fixed": "4.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18893"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/2a4d88d07c5815deac103e109550d25338507151"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/670bfbf62686ebe9f2ab332733d851a62b6950b0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/d0b42b9e527e93a61fd06a9b9106fc97067807e4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mattermost/mattermost"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-12T18:30:08Z",
+    "nvd_published_at": "2020-06-19T19:15:00Z"
+  }
+}

advisories/unreviewed/2022/05/GHSA-887v-xh2x-47cm/GHSA-887v-xh2x-47cm.json

@@ -26,7 +26,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-121"
+      "CWE-121",
+      "CWE-787"
     ],
     "severity": "HIGH",
     "github_reviewed": false,

advisories/unreviewed/2025/01/GHSA-vvc3-x74m-rg8v/GHSA-vvc3-x74m-rg8v.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-45h6-97cw-2x6c",
-  "modified": "2025-11-03T18:31:39Z",
+  "modified": "2026-01-12T18:30:19Z",
   "published": "2025-09-05T18:31:27Z",
   "aliases": [
     "CVE-2025-39714"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Lock resolution while streaming\n\nWhen an program is streaming (ffplay) and another program (qv4l2)\nchanges the TV standard from NTSC to PAL, the kernel crashes due to trying\nto copy to unmapped memory.\n\nChanging from NTSC to PAL increases the resolution in the usbtv struct,\nbut the video plane buffer isn't adjusted, so it overflows.\n\n[hverkuil: call vb2_is_busy instead of vb2_is_streaming]",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -57,7 +62,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-05T18:15:48Z"

advisories/unreviewed/2025/09/GHSA-45h6-97cw-2x6c/GHSA-45h6-97cw-2x6c.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cvwp-768v-w5r3",
-  "modified": "2025-11-03T18:31:39Z",
+  "modified": "2026-01-12T18:30:19Z",
   "published": "2025-09-05T18:31:27Z",
   "aliases": [
     "CVE-2025-39710"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Add a check for packet size after reading from shared memory\n\nAdd a check to ensure that the packet size does not exceed the number of\navailable words after reading the packet header from shared memory. This\nensures that the size provided by the firmware is safe to process and\nprevent potential out-of-bounds memory access.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-05T18:15:48Z"

advisories/unreviewed/2025/09/GHSA-cvwp-768v-w5r3/GHSA-cvwp-768v-w5r3.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-frvj-f982-mfmx",
-  "modified": "2025-11-03T18:31:40Z",
+  "modified": "2026-01-12T18:30:19Z",
   "published": "2025-09-07T18:31:27Z",
   "aliases": [
     "CVE-2025-39730"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix filehandle bounds checking in nfs_fh_to_dentry()\n\nThe function needs to check the minimal filehandle length before it can\naccess the embedded filehandle.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -61,7 +66,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-07T16:15:48Z"

advisories/unreviewed/2025/09/GHSA-frvj-f982-mfmx/GHSA-frvj-f982-mfmx.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jx3q-xcpc-36h3",
-  "modified": "2025-11-03T18:31:40Z",
+  "modified": "2026-01-12T18:30:19Z",
   "published": "2025-09-05T18:31:27Z",
   "aliases": [
     "CVE-2025-39724"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: fix panic due to PSLVERR\n\nWhen the PSLVERR_RESP_EN parameter is set to 1, the device generates\nan error response if an attempt is made to read an empty RBR (Receive\nBuffer Register) while the FIFO is enabled.\n\nIn serial8250_do_startup(), calling serial_port_out(port, UART_LCR,\nUART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes\ndw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter\nfunction enables the FIFO via serial_out(p, UART_FCR, p->fcr).\nExecution proceeds to the serial_port_in(port, UART_RX).\nThis satisfies the PSLVERR trigger condition.\n\nWhen another CPU (e.g., using printk()) is accessing the UART (UART\nis busy), the current CPU fails the check (value & ~UART_LCR_SPAR) ==\n(lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter\ndw8250_force_idle().\n\nPut serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock\nto fix this issue.\n\nPanic backtrace:\n[    0.442336] Oops - unknown exception [#1]\n[    0.442343] epc : dw8250_serial_in32+0x1e/0x4a\n[    0.442351]  ra : serial8250_do_startup+0x2c8/0x88e\n...\n[    0.442416] console_on_rootfs+0x26/0x70",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -57,7 +62,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-05T18:15:50Z"

advisories/unreviewed/2025/09/GHSA-jx3q-xcpc-36h3/GHSA-jx3q-xcpc-36h3.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wh65-53hg-mxpv",
-  "modified": "2025-11-03T18:31:40Z",
+  "modified": "2026-01-12T18:30:19Z",
   "published": "2025-09-07T18:31:27Z",
   "aliases": [
     "CVE-2025-39734"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"fs/ntfs3: Replace inode_trylock with inode_lock\"\n\nThis reverts commit 69505fe98f198ee813898cbcaf6770949636430b.\n\nInitially, conditional lock acquisition was removed to fix an xfstest bug\nthat was observed during internal testing. The deadlock reported by syzbot\nis resolved by reintroducing conditional acquisition. The xfstest bug no\nlonger occurs on kernel version 6.16-rc1 during internal testing. I\nassume that changes in other modules may have contributed to this.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-07T16:15:50Z"

advisories/unreviewed/2025/09/GHSA-wh65-53hg-mxpv/GHSA-wh65-53hg-mxpv.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9247-4234-vwrq",
-  "modified": "2025-12-10T12:31:27Z",
+  "modified": "2026-01-12T18:30:20Z",
   "published": "2025-12-10T12:31:27Z",
   "aliases": [
     "CVE-2025-7073"
   ],
   "details": "A local privilege escalation vulnerability in Bitdefender Total Security 27.0.46.231 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:\\ProgramData\\Atc\\Feedback) without proper symbolic link validation, enabling arbitrary file deletion. This issue is chained with a file copy operation during network events and a filter driver bypass via DLL injection to achieve arbitrary file copy and code execution as elevated user.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2025/12/GHSA-9247-4234-vwrq/GHSA-9247-4234-vwrq.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mhwg-hvw8-9w84",
-  "modified": "2025-12-12T00:30:20Z",
+  "modified": "2026-01-12T18:30:21Z",
   "published": "2025-12-12T00:30:20Z",
   "aliases": [
     "CVE-2024-58289"
   ],
   "details": "Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"