Publish Advisories

GHSA-rjx7-v6g9-8g3m
GHSA-26wm-7r96-7phx
GHSA-2ch8-gj76-vc82
GHSA-2mqw-xvh5-rv38
GHSA-2p76-x4wh-x3c6
GHSA-3qjq-8563-xqpx
GHSA-3vmp-5673-67p4
GHSA-4jv8-7mvw-g797
GHSA-53gc-fm45-xq5f
GHSA-54x3-pqpj-qp4h
GHSA-82gc-5r4p-79v3
GHSA-9w74-59mf-vjxv
GHSA-ff3c-r3wv-56wm
GHSA-hw45-5mv8-6p87
GHSA-jh7c-9hmh-jxw3
GHSA-jx6c-jcmp-rgvp
GHSA-vf69-hcwp-rxc8
GHSA-vwj2-w4fq-pg78
GHSA-wq6j-h853-fwf7

Author: advisory-database[bot]

advisories/unreviewed/2024/03/GHSA-rjx7-v6g9-8g3m/GHSA-rjx7-v6g9-8g3m.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rjx7-v6g9-8g3m",
-  "modified": "2024-03-12T09:30:42Z",
+  "modified": "2025-01-30T12:31:17Z",
   "published": "2024-03-12T09:30:42Z",
   "aliases": [
     "CVE-2024-25995"
@@ -22,10 +22,15 @@
     {
       "type": "WEB",
       "url": "https://cert.vde.com/en/advisories/VDE-2024-011"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-856"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-20",
       "CWE-306"
     ],
     "severity": "CRITICAL",

advisories/unreviewed/2025/01/GHSA-26wm-7r96-7phx/GHSA-26wm-7r96-7phx.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-26wm-7r96-7phx",
+  "modified": "2025-01-30T12:31:20Z",
+  "published": "2025-01-30T12:31:19Z",
+  "aliases": [
+    "CVE-2025-0744"
+  ],
+  "details": "an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the \"/demos/embedai/pmt_cash_on_delivery/pay\" endpoint.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0744"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-30T12:15:27Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-2ch8-gj76-vc82/GHSA-2ch8-gj76-vc82.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2ch8-gj76-vc82",
+  "modified": "2025-01-30T12:31:17Z",
+  "published": "2025-01-30T12:31:17Z",
+  "aliases": [
+    "CVE-2025-0861"
+  ],
+  "details": "The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0861"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.svn.wordpress.org/vr-frases/tags/3.0.1/includes/vr-frases-admin.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d9d5afb-d38d-442c-8511-f1683739a1da?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-30T10:15:08Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-2mqw-xvh5-rv38/GHSA-2mqw-xvh5-rv38.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2mqw-xvh5-rv38",
+  "modified": "2025-01-30T12:31:19Z",
+  "published": "2025-01-30T12:31:19Z",
+  "aliases": [
+    "CVE-2025-0741"
+  ],
+  "details": "An Improper Access Control vulnerability has been found in EmbedAI\n\n 2.1 and below. This vulnerability allows an authenticated attacker to write messages into other users chat by changing the parameter \"chat_id\" of the POST request \"/embedai/chats/send_message\".",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0741"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-30T11:15:11Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-2p76-x4wh-x3c6/GHSA-2p76-x4wh-x3c6.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2p76-x4wh-x3c6",
+  "modified": "2025-01-30T12:31:20Z",
+  "published": "2025-01-30T12:31:20Z",
+  "aliases": [
+    "CVE-2025-0747"
+  ],
+  "details": "A Stored Cross-Site Scripting vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to inject a malicious JavaScript code into a message that will be executed when a user opens the chat.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0747"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-30T12:15:28Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-3qjq-8563-xqpx/GHSA-3qjq-8563-xqpx.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3qjq-8563-xqpx",
+  "modified": "2025-01-30T12:31:17Z",
+  "published": "2025-01-30T12:31:17Z",
+  "aliases": [
+    "CVE-2025-21107"
+  ],
+  "details": "Dell NetWorker, version(s) prior to 19.11.0.3, all versions of 19.10 & prior versions contain(s) an Unquoted Search Path or Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21107"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.dell.com/support/kbdoc/en-us/000278811/dsa-2025-064-security-update-for-dell-networker-networker-virtual-edition-and-networker-management-console-multiple-component-vulnerabilities"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-428"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-30T10:15:09Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-3vmp-5673-67p4/GHSA-3vmp-5673-67p4.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3vmp-5673-67p4",
+  "modified": "2025-01-30T12:31:19Z",
+  "published": "2025-01-30T12:31:19Z",
+  "aliases": [
+    "CVE-2022-43916"
+  ],
+  "details": "IBM App Connect Enterprise Certified Container 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, and 12.7 Pods do not restrict network egress for Pods that are used for internal infrastructure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43916"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7181916"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-923"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-30T12:15:26Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-4jv8-7mvw-g797/GHSA-4jv8-7mvw-g797.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4jv8-7mvw-g797",
+  "modified": "2025-01-30T12:31:20Z",
+  "published": "2025-01-30T12:31:20Z",
+  "aliases": [
+    "CVE-2025-0746"
+  ],
+  "details": "A Reflected Cross-Site Scripting vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to craft a malicious URL leveraging the\"/embedai/users/show/<SCRIPT>\" endpoint to inject the malicious JavaScript code. This JavaScript code will be executed when a user opens the malicious URL.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0746"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-30T12:15:28Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-53gc-fm45-xq5f/GHSA-53gc-fm45-xq5f.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-53gc-fm45-xq5f",
+  "modified": "2025-01-30T12:31:19Z",
+  "published": "2025-01-30T12:31:18Z",
+  "aliases": [
+    "CVE-2024-13706"
+  ],
+  "details": "The WP Image Uploader plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'file' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13706"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/wp-image-uploader/trunk/index.php#L85"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fea1546c-1d8f-4478-81b7-20a9096e0217?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-30T11:15:11Z"
+  }
+}

advisories/unreviewed/2025/01/GHSA-54x3-pqpj-qp4h/GHSA-54x3-pqpj-qp4h.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-54x3-pqpj-qp4h",
+  "modified": "2025-01-30T12:31:19Z",
+  "published": "2025-01-30T12:31:19Z",
+  "aliases": [
+    "CVE-2025-0742"
+  ],
+  "details": "An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain files stored by others users by changing the \"FILE_ID\" of the endpoint \"/embedai/files/show/<FILE_ID>\".",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0742"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-01-30T12:15:27Z"
+  }
+}