Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 9e1bc32dad23 · 2026-01-23T20:17:53.000Z
GHSA-7p9h-m7m8-vhhv GHSA-j4rc-96xj-gvqc GHSA-mxc8-4jqf-368q GHSA-w7rq-fgx4-4xcm GHSA-wm8h-26fv-mg7g
diff --git a/advisories/github-reviewed/2026/01/GHSA-7p9h-m7m8-vhhv/GHSA-7p9h-m7m8-vhhv.json b/advisories/github-reviewed/2026/01/GHSA-7p9h-m7m8-vhhv/GHSA-7p9h-m7m8-vhhv.json
@@ -0,0 +1,80 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7p9h-m7m8-vhhv",
+  "modified": "2026-01-23T20:17:16Z",
+  "published": "2026-01-23T20:17:16Z",
+  "aliases": [],
+  "summary": "phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)",
+  "details": "### Summary\nA logged‑in user without the dlattachment right can download FAQ attachments. This is due to a permissive permission check in attachment.php that treats the mere presence of a right key as authorization and a flawed group/user logic expression.\n\n### Details\nIn attachment.php, the access decision uses:\n```($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment'])```\nisset() returns true even when the right value is false, and the logic simplifies to $groupPermission for some permission modes. As a result, a user without dlattachment can still access the attachment.\n\n### PoC\nPrecondition: A non‑admin user exists; an attachment is associated to a FAQ record; records.allowDownloadsForGuests = false.\nLog in as a non‑admin user without dlattachment.\nRequest the attachment download endpoint.\n```\ncurl -c /tmp/pmf_api_cookies.txt \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"username\":\"tester\",\"password\":\"Test1234!\"}' \\\n  http://192.168.40.16/phpmyfaq/api/v3.0/login\n\ncurl -i -b /tmp/pmf_api_cookies.txt \\\n  \"http://192.168.40.16/phpmyfaq/index.php?action=attachment&id=1\"\n```\n\n### Impact\nUnauthorized users can download attachments (confidentiality breach). Depending on content, this may expose sensitive documents.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "phpmyfaq/phpmyfaq"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.17"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.0.16"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "thorsten/phpmyfaq"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.17"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.0.16"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/thorsten/phpMyFAQ"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:17:16Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-j4rc-96xj-gvqc/GHSA-j4rc-96xj-gvqc.json b/advisories/github-reviewed/2026/01/GHSA-j4rc-96xj-gvqc/GHSA-j4rc-96xj-gvqc.json
@@ -0,0 +1,80 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j4rc-96xj-gvqc",
+  "modified": "2026-01-23T20:17:33Z",
+  "published": "2026-01-23T20:17:33Z",
+  "aliases": [],
+  "summary": "phpMyFAQ: Public API endpoints expose emails and invisible questions",
+  "details": "### Summary\nSeveral public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).\n\n### Details\nOpenQuestionController::list() calls Question::getAll() with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in comment/news/faq APIs.\n\n### PoC\n```\ncurl -i -H 'Accept-Language: en' \\\n  http://192.168.40.16/phpmyfaq/api/v3.0/open-questions\n```\n\n### Impact\nPrivacy exposure of email addresses and non‑public content; increased risk of phishing/scraping.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "phpmyfaq/phpmyfaq"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.17"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.0.16"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "thorsten/phpmyfaq"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.17"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.0.16"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/thorsten/phpMyFAQ"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:17:33Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-mxc8-4jqf-368q/GHSA-mxc8-4jqf-368q.json b/advisories/github-reviewed/2026/01/GHSA-mxc8-4jqf-368q/GHSA-mxc8-4jqf-368q.json
@@ -1,14 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mxc8-4jqf-368q",
-  "modified": "2026-01-23T18:31:28Z",
+  "modified": "2026-01-23T20:16:21Z",
   "published": "2026-01-23T18:31:28Z",
   "aliases": [
     "CVE-2025-67124"
   ],
+  "summary": "miniserve affected by a TOCTOU and symlink race vulnerability",
   "details": "A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "miniserve"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.32.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -19,15 +45,18 @@
       "url": "https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/svenstaro/miniserve"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "cwe_ids": [
+      "CWE-367",
+      "CWE-59"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:16:21Z",
     "nvd_published_at": "2026-01-23T16:15:52Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-w7rq-fgx4-4xcm/GHSA-w7rq-fgx4-4xcm.json b/advisories/github-reviewed/2026/01/GHSA-w7rq-fgx4-4xcm/GHSA-w7rq-fgx4-4xcm.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w7rq-fgx4-4xcm",
-  "modified": "2026-01-23T18:31:30Z",
+  "modified": "2026-01-23T20:16:37Z",
   "published": "2026-01-23T18:31:30Z",
   "aliases": [
     "CVE-2025-71177"
   ],
+  "summary": "LavaLite CMS affected by a stored cross-site scripting vulnerability",
   "details": "LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "lavalite/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "10.1.0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/LavaLite/cms/issues/420"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/LavaLite/cms"
+    },
     {
       "type": "WEB",
       "url": "https://lavalite.org"
@@ -37,8 +62,8 @@
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:16:37Z",
     "nvd_published_at": "2026-01-23T17:16:08Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-wm8h-26fv-mg7g/GHSA-wm8h-26fv-mg7g.json b/advisories/github-reviewed/2026/01/GHSA-wm8h-26fv-mg7g/GHSA-wm8h-26fv-mg7g.json
@@ -0,0 +1,80 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wm8h-26fv-mg7g",
+  "modified": "2026-01-23T20:17:25Z",
+  "published": "2026-01-23T20:17:25Z",
+  "aliases": [],
+  "summary": "phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)",
+  "details": "### Summary\nAuthenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.\n\n### Details\nSetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.\n\n### PoC\nPrecondition: API enabled, any authenticated non‑admin user.\n- Log in as a non‑admin user.\n- Call backup endpoint.\n```\ncurl -c /tmp/pmf_api_cookies.txt \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"username\":\"tester\",\"password\":\"Test1234!\"}' \\\n  http://192.168.40.16/phpmyfaq/api/v3.0/login\n\ncurl -i -b /tmp/pmf_api_cookies.txt \\\n  -X POST --data '4.0.16' \\\n  http://192.168.40.16/phpmyfaq/api/setup/backup\n```\n\n### Impact\nLow‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "phpmyfaq/phpmyfaq"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.17"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.0.16"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "thorsten/phpmyfaq"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.17"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.0.16"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7g"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/thorsten/phpMyFAQ"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:17:25Z",
+    "nvd_published_at": null
+  }
+}
