Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit f819679a59ca · 2026-01-23T22:43:06.000Z
GHSA-5w25-hxp5-h8c9 GHSA-7r96-8g3x-g36m GHSA-9chx-2vqw-8vq5
diff --git a/advisories/github-reviewed/2021/06/GHSA-5w25-hxp5-h8c9/GHSA-5w25-hxp5-h8c9.json b/advisories/github-reviewed/2021/06/GHSA-5w25-hxp5-h8c9/GHSA-5w25-hxp5-h8c9.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5w25-hxp5-h8c9",
-  "modified": "2021-06-17T18:47:52Z",
+  "modified": "2026-01-23T22:42:00Z",
   "published": "2021-06-21T17:12:13Z",
-  "aliases": [
-    "CVE-2021-32685"
-  ],
-  "summary": "Improper Verification of Cryptographic Signature",
-  "details": "tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.",
+  "withdrawn": "2026-01-23T22:42:00Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Improper Verification of Cryptographic Signature",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-7r96-8g3x-g36m. This link is maintained to preserve external references.\n\n## Original Description\ntEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2021/06/GHSA-7r96-8g3x-g36m/GHSA-7r96-8g3x-g36m.json b/advisories/github-reviewed/2021/06/GHSA-7r96-8g3x-g36m/GHSA-7r96-8g3x-g36m.json
@@ -1,11 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7r96-8g3x-g36m",
-  "modified": "2022-01-04T19:36:52Z",
+  "modified": "2026-01-23T22:42:09Z",
   "published": "2021-06-28T17:16:56Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2021-32685"
+  ],
   "summary": "Improper Verification of Cryptographic Signature",
-  "details": "### Impact\nThe `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature of a SHA-512 hash matching the SHA-512 hash of the message even if the signature is invalid.\n\n### Patches\nUpgrade to `v7.0.3` immediately to resolve this issue. Since the vulnerability lies within the verification method, the previous signatures are still valid. We highly recommend reverifying any signatures that were previously verified with the vulnerable `verifyWithMessage` method.\n\n### Workarounds\nIn `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`. For example, the return statement should start with `return this.verify(signed, password).verified && ` instead of `return this.verify(signed, password) && `.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/TogaTech/tEnvoy](https://github.com/TogaTech/tEnvoy)\n",
+  "details": "### Impact\nThe `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature of a SHA-512 hash matching the SHA-512 hash of the message even if the signature is invalid.\n\n### Patches\nUpgrade to `v7.0.3` immediately to resolve this issue. Since the vulnerability lies within the verification method, the previous signatures are still valid. We highly recommend reverifying any signatures that were previously verified with the vulnerable `verifyWithMessage` method.\n\n### Workarounds\nIn `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`. For example, the return statement should start with `return this.verify(signed, password).verified && ` instead of `return this.verify(signed, password) && `.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/TogaTech/tEnvoy](https://github.com/TogaTech/tEnvoy)",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -38,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32685"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/TogaTech/tEnvoy"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2022/02/GHSA-9chx-2vqw-8vq5/GHSA-9chx-2vqw-8vq5.json b/advisories/github-reviewed/2022/02/GHSA-9chx-2vqw-8vq5/GHSA-9chx-2vqw-8vq5.json
@@ -1,13 +1,14 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9chx-2vqw-8vq5",
-  "modified": "2022-02-08T16:08:49Z",
+  "modified": "2026-01-23T22:41:41Z",
   "published": "2022-02-01T00:01:00Z",
+  "withdrawn": "2026-01-23T22:41:41Z",
   "aliases": [
     "CVE-2022-23409"
   ],
-  "summary": "Path Traversal in the Logs plugin for Craft CMS",
-  "details": "The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php.",
+  "summary": "Duplicate Advisory: Path Traversal in the Logs plugin for Craft CMS",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-fp63-499m-hq6m. This link is maintained to preserve external references.\n\n## Original Description\nThe Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php.",
   "severity": [
     {
       "type": "CVSS_V3",
