github
diff --git a/‎advisories/github-reviewed/2025/08/GHSA-22jp-w3cg-gvmm/GHSA-22jp-w3cg-gvmm.json
Lines changed: 77 additions & 0 deletions b/‎advisories/github-reviewed/2025/08/GHSA-22jp-w3cg-gvmm/GHSA-22jp-w3cg-gvmm.json
Lines changed: 77 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2025/08/GHSA-7mxq-h2r7-h449/GHSA-7mxq-h2r7-h449.json
Lines changed: 113 additions & 0 deletions b/‎advisories/github-reviewed/2025/08/GHSA-7mxq-h2r7-h449/GHSA-7mxq-h2r7-h449.json
Lines changed: 113 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2025/08/GHSA-cwgh-r52j-xh6c/GHSA-cwgh-r52j-xh6c.json
Lines changed: 69 additions & 0 deletions b/‎advisories/github-reviewed/2025/08/GHSA-cwgh-r52j-xh6c/GHSA-cwgh-r52j-xh6c.json
Lines changed: 69 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2025/08/GHSA-pr72-8fxw-xx22/GHSA-pr72-8fxw-xx22.json
Lines changed: 61 additions & 0 deletions b/‎advisories/github-reviewed/2025/08/GHSA-pr72-8fxw-xx22/GHSA-pr72-8fxw-xx22.json
Lines changed: 61 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/08/GHSA-22jp-w3cg-gvmm/GHSA-22jp-w3cg-gvmm.json
Lines changed: 0 additions & 36 deletions b/‎advisories/unreviewed/2025/08/GHSA-22jp-w3cg-gvmm/GHSA-22jp-w3cg-gvmm.json
Lines changed: 0 additions & 36 deletions
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-22jp-w3cg-gvmm",
+  "modified": "2025-08-19T22:23:30Z",
+  "published": "2025-08-19T15:31:28Z",
+  "aliases": [
+    "CVE-2025-43740"
+  ],
+  "summary": "Liferay Portal has Stored Cross-Site Scripting Vulnerability via Message Boards Feature",
+  "details": "A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface.\n\nLiferay Portal is fixed on the master branch from commit c1b7c6b.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay.portal:release.portal.bom"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.4.3.120-ga120"
+            },
+            {
+              "last_affected": "7.4.3.132-ga23"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43740"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/32821b41f7f62271d1fb9d56c82297cd087780a4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/51e21fa8b3e8b49ed455caeab192c5bba7e15b6d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/c1b7c6b58f5042072c381fc2664e808ebb745826"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.atlassian.net/browse/LPE-18276"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43740"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-08-19T22:23:30Z",
+    "nvd_published_at": "2025-08-19T13:15:41Z"
+  }
+}
@@ -0,0 +1,113 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7mxq-h2r7-h449",
+  "modified": "2025-08-19T22:24:01Z",
+  "published": "2025-08-19T15:31:28Z",
+  "aliases": [
+    "CVE-2025-43739"
+  ],
+  "summary": "Liferay Portal Email Modification Vulnerability via Calendar Portlet",
+  "details": "Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the same organization.\n\nLiferay Portal is fixed on the master branch from commit ff18e7d.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay:com.liferay.calendar.service"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.83"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43739"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/0a9f5df16ae0afa8216ca568b89b2cdf00054bde"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/5dc74a9f53f0aaa6cc1b6e0f503842832324239a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/75be892f7cf31e1a38555d45627b0c2a06490d3d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/7d70fab2259ff8b4a775021eb95bfc183823f8fc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/7eb551616c6b8beeaf660ff7f29b09794cb80d91"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/a01a99cc4a5c7436f49790a1bfb386299172149c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/b396c00338e754976a9f63ea1d5393f29babdabb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/c1660f1a906c5ee3adca51e68f0abd6f9c1d253f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/e50c1a0a53d30b4e55f47495e265c5b7ea3459e1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/f238677d9afb46cfe4e23f05ce11bd5197a70388"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/ff18e7d363f2a3bc83e9d3446f1bc49bee821883"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/ff927f3f6784b396d3a611ac2e5e99b69ff0fd05"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.atlassian.net/browse/LPE-18210"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43739"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-203"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-08-19T22:24:01Z",
+    "nvd_published_at": "2025-08-19T14:15:38Z"
+  }
+}
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cwgh-r52j-xh6c",
+  "modified": "2025-08-19T22:24:23Z",
+  "published": "2025-08-19T18:31:31Z",
+  "aliases": [
+    "CVE-2025-43738"
+  ],
+  "summary": "Liferay Portal Reflected Cross-Site Scripting Vulnerability in displayType Parameter",
+  "details": "A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter.\n\nLiferay Portal is fixed on the master branch from commit acc4771.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay:com.liferay.expando.web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "5.0.59"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43738"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/acc477143b50de2138854548bc5bad06677e708a"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.atlassian.net/browse/LPE-18290"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43738"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-08-19T22:24:23Z",
+    "nvd_published_at": "2025-08-19T16:15:26Z"
+  }
+}
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pr72-8fxw-xx22",
+  "modified": "2025-08-19T22:24:40Z",
+  "published": "2025-08-19T22:24:40Z",
+  "aliases": [
+    "CVE-2025-55740"
+  ],
+  "summary": "Default Credentials in nginx-defender Configuration Files",
+  "details": "### Impact\nThis is a configuration vulnerability affecting nginx-defender deployments. Example configuration files \n[config.yaml](https://github.com/Anipaleja/nginx-defender/blob/main/config.yaml), [docker-compose.yml](https://github.com/Anipaleja/nginx-defender/blob/main/docker-compose.yml) contain default credentials (`default_password: \"change_me_please\"`, `GF_SECURITY_ADMIN_PASSWORD=admin123`). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.\n\n**Who is impacted?**\nAll users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.\n\n### Patches\nThe issue is addressed in v1.5.0 and later.\n\nStartup warnings are added if default credentials are detected.\nDocumentation now strongly recommends changing all default passwords before deployment.\nPatched versions:\n1.5.0 and later\n**Will be fully patched in v1.7.0 and later**\n\n### Workarounds\nUsers can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment:\n```yaml\n# config.yaml\nauth:\n  default_password: \"your_strong_password_here\"\n```\n\n```yml\n# docker-compose.yml\n- GF_SECURITY_ADMIN_PASSWORD=your_strong_password\n```\nRestrict access to the admin interface and use environment variables for secrets.\n\n### References\n- [Security Configuration Guide](https://github.com/Anipaleja/nginx-defender/blob/main/docs/security-config.md)\n- [Full Security Advisory](https://github.com/Anipaleja/nginx-defender/security/advisories)\n- [Library README](https://github.com/Anipaleja/nginx-defender/blob/main/lib/README.md)\n- [README](https://github.com/Anipaleja/nginx-defender/blob/main/README.md)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/Anipaleja/nginx-defender"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.5.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Anipaleja/nginx-defender/security/advisories/GHSA-pr72-8fxw-xx22"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55740"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Anipaleja/nginx-defender"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1392"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-08-19T22:24:40Z",
+    "nvd_published_at": "2025-08-19T20:15:35Z"
+  }
+}