Publish Advisories

GHSA-45p5-v273-3qqr
GHSA-m449-cwjh-6pw7
GHSA-339m-4qw5-j2g3
GHSA-qppm-g56g-fpvp
GHSA-w8x4-x68c-m6fc

Author: advisory-database[bot]

advisories/github-reviewed/2025/10/GHSA-45p5-v273-3qqr/GHSA-45p5-v273-3qqr.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-45p5-v273-3qqr",
-  "modified": "2025-10-22T19:38:11Z",
+  "modified": "2026-01-21T16:37:06Z",
   "published": "2025-10-22T19:38:11Z",
   "aliases": [
     "CVE-2025-11966"
   ],
   "summary": "Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names",
   "details": "# Description\n\n- In the `StaticHandlerImpl#sendDirectoryListing(...)` method under the `text/html` branch, file and directory names are directly embedded into the `href`, `title`, and link text without proper HTML escaping.\n- As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.\n- Affected Code:\n    - File: `vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java`\n    - Lines:\n        - 709–713: `normalizedDir` is constructed without escaping\n        - 714–731: `<li><a ...>` elements insert file names directly into attributes and body without escaping\n        - 744: parent directory name construction\n        - 746–751: `{directory}`, `{parent}`, and `{files}` are inserted into the HTML template without escaping\n\n# Reproduction Steps\n\n1. Prerequisites:\n    - Directory listing is enabled using `StaticHandler`  \n      (e.g., `StaticHandler.create(\"public\").setDirectoryListing(true)`)\n    - The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)\n\n2. Create a malicious file name (example for Unix-based OS):\n    - Create an empty file in `public/` with one of the following names:\n      - `<img src=x onerror=alert('XSS')>.txt`\n      - Or attribute injection: `evil\" onmouseover=\"alert('XSS')\".txt`\n    - Example:\n      ```bash\n      mkdir -p public\n      printf 'test' > \"public/<img src=x onerror=alert('XSS')>.txt\"\n      ```\n\n3. Start the server (example):\n    - Routing: `router.route(\"/public/*\").handler(StaticHandler.create(\"public\").setDirectoryListing(true));`\n    - Server: `vertx.createHttpServer().requestHandler(router).listen(8890);`\n\n4. Verification request (raw HTTP):\n    ```\n    GET /public/ HTTP/1.1\n    Host: 127.0.0.1:8890\n    Accept: text/html\n    Connection: close\n    ```\n\n5. Example response excerpt:\n    ```html\n    <ul id=\"files\">\n      <li>\n        <a href=\"/public/<img src=x onerror=alert('XSS')>.txt\"\n           title=\"<img src=x onerror=alert('XSS')>.txt\">\n           <img src=x onerror=alert('XSS')>.txt\n        </a>\n      </li>\n      ...\n    </ul>\n    ```\n\n- When accessing `/public/` in a browser, the unescaped file name is interpreted as HTML, and event handlers such as `onerror` are executed.\n\n# Potential Impact\n\n- **Stored XSS**\n    - Arbitrary JavaScript executes in the browser context of users viewing the listing page\n    - Possible consequences:\n        - Theft of session tokens, JWTs, localStorage contents, or CSRF tokens\n        - Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)\n        - Watering hole attacks, including malware distribution or malicious script injection to other pages\n\n- **Common Conditions That Make Exploitation Easier**\n    - Uploaded files are served directly under a publicly accessible directory\n    - Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed\n    - ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments\n\n# Similar CVEs Previously Reported\n\n- CVE‑2024‑32966  \n- CVE‑2019‑15603",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"

advisories/github-reviewed/2025/11/GHSA-m449-cwjh-6pw7/GHSA-m449-cwjh-6pw7.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m449-cwjh-6pw7",
-  "modified": "2025-11-27T08:15:59Z",
+  "modified": "2026-01-21T16:37:13Z",
   "published": "2025-11-24T22:42:07Z",
   "aliases": [
     "CVE-2025-66019"
@@ -52,6 +52,10 @@
       "type": "WEB",
       "url": "https://github.com/py-pdf/pypdf/commit/96186725e5e6f237129a58a97cd19204a9ce40b2"
     },
+    {
+      "type": "WEB",
+      "url": "https://aydinnyunus.github.io/2025/12/20/cve-2025-66019-pypdf-lzw-dos"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/py-pdf/pypdf"

advisories/github-reviewed/2026/01/GHSA-339m-4qw5-j2g3/GHSA-339m-4qw5-j2g3.json

@@ -0,0 +1,90 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-339m-4qw5-j2g3",
+  "modified": "2026-01-21T16:38:15Z",
+  "published": "2026-01-21T16:38:15Z",
+  "aliases": [
+    "CVE-2026-23946"
+  ],
+  "summary": "Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization",
+  "details": "A critical deserialization vulnerability exists in Tendenci Helpdesk module (NOTE, by default, Helpdesk is NOT enabled), affecting the version 15.3.11 and earlier. This vulnerability allows remote code execution (RCE) by an authenticated user with staff security level due to using Python's pickle module on the helpdesk /reports/. The damage is contained to the user that your Tendenci application runs.\n\n**Key Finding:** The original CVE-2020-14942 was incompletely patched. While `ticket_list()` was fixed to use safe JSON deserialization, the `run_report()` function still uses unsafe `pickle.loads()`.\n\n**Permission Scoping:** The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions.\n\n## Vulnerability Details\n\n### Affected Version\n- **Version:** Tendenci 15.3.11 and earlier (all versions since incomplete CVE-2020-14942 patch)\n- **Component:** `tendenci/apps/helpdesk/views/staff.py`\n\n### Related CVE\n- **CVE-2020-14942:** Original pickle deserialization vulnerability (partially patched)\n- **GitHub Advisory:** GHSA-jqmc-fxxp-r589\n- **Original Issue:** https://github.com/tendenci/tendenci/issues/867\n\n### Tendenci User Role Hierarchy\n\n| Level | Role | Description |\n|-------|------|-------------|\n| 0 | `is_superuser` | Highest privilege - full Django admin |\n| 1 | `is_staff` | user with Staff security level - can access helpdesk module |\n| 2 | Authenticated User | Basic user access |\n| 3 | Anonymous User | Public read-only access |\n\n`is_staff` is a commonly assigned role (by a superuser) for helpdesk operators who manage support tickets - not system administrators. \n\n\n### Code Comparison (Patched vs Vulnerable)\n\n| Function | Line | Deserialization | Status |\n|----------|------|-----------------|--------|\n| `ticket_list()` | 763 | `simplejson.loads()` | ✅ SAFE |\n| `run_report()` | 1062 | `pickle.loads()` | ❌ VULNERABLE |\n\n## Why This Qualifies for CVE Assignment\n\nThis vulnerability represents an **incomplete patch bypass** for CVE-2020-14942 with a clear exploitation path. The flaw allows a malicious user with Staff security level to achieve Remote Code Execution via Python's pickle.loads. Though the damage is contained to the user that your Tendenci application runs. \n\n## Remediation\n\nUpdate Tendenci to the latest version (v15.3.12 as of now) immediately if you have Helpdesk enabled. Note that Helpdesk is not enabled by default. All of our hosted sites have been patched, although **none** of our client sites have the Helpdesk enabled.\n\n\n## References\n\n- Tendenci GitHub: https://github.com/tendenci/tendenci\n- CVE-2020-14942: https://nvd.nist.gov/vuln/detail/CVE-2020-14942\n- GitHub Advisory: https://github.com/advisories/GHSA-jqmc-fxxp-r589\n- Original Issue: https://github.com/tendenci/tendenci/issues/867\n- CWE-502: https://cwe.mitre.org/data/definitions/502.html\n- Python Pickle Security: https://docs.python.org/3/library/pickle.html#restricting-globals",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "tendenci"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "15.3.12"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14942"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tendenci/tendenci/issues/867"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.python.org/3/library/pickle.html#restricting-globals"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-jqmc-fxxp-r589"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/tendenci/tendenci"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tendenci/tendenci/releases/tag/v15.3.12"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502",
+      "CWE-94"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T16:38:15Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/01/GHSA-qppm-g56g-fpvp/GHSA-qppm-g56g-fpvp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qppm-g56g-fpvp",
-  "modified": "2026-01-20T18:58:15Z",
+  "modified": "2026-01-21T16:37:41Z",
   "published": "2026-01-20T18:58:15Z",
   "aliases": [
     "CVE-2025-66803"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66803"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/hotwired/turbo/pull/1399"
@@ -58,6 +62,10 @@
     {
       "type": "WEB",
       "url": "https://github.com/hotwired/turbo/releases/tag/v8.0.21"
+    },
+    {
+      "type": "WEB",
+      "url": "https://turbo.hotwired.dev/handbook/frames"
     }
   ],
   "database_specific": {
@@ -68,6 +76,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-20T18:58:15Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-20T19:15:49Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-w8x4-x68c-m6fc/GHSA-w8x4-x68c-m6fc.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w8x4-x68c-m6fc",
-  "modified": "2026-01-14T19:50:44Z",
+  "modified": "2026-01-21T16:37:34Z",
   "published": "2026-01-14T16:53:10Z",
   "aliases": [
     "CVE-2026-22787"
@@ -56,6 +56,10 @@
       "type": "WEB",
       "url": "https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b"
     },
+    {
+      "type": "WEB",
+      "url": "https://aydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerability"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/eKoopmans/html2pdf.js"