Publish Advisories

GHSA-276w-gj4p-9x23
GHSA-287x-9rff-qvcg
GHSA-78j7-w964-99fc
GHSA-87hw-q9ch-hcvh
GHSA-pfxq-29cx-gm9c
GHSA-rxf6-323f-44fc

Author: advisory-database[bot]

advisories/unreviewed/2025/07/GHSA-276w-gj4p-9x23/GHSA-276w-gj4p-9x23.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-276w-gj4p-9x23",
+  "modified": "2025-07-05T03:30:23Z",
+  "published": "2025-07-05T03:30:23Z",
+  "aliases": [
+    "CVE-2025-47227"
+  ],
+  "details": "In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via administrator account takeover.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47227"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.scriptcase.net/changelog"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-684"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-07-05T03:15:30Z"
+  }
+}

advisories/unreviewed/2025/07/GHSA-287x-9rff-qvcg/GHSA-287x-9rff-qvcg.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-287x-9rff-qvcg",
+  "modified": "2025-07-05T03:30:23Z",
+  "published": "2025-07-05T03:30:23Z",
+  "aliases": [
+    "CVE-2025-53604"
+  ],
+  "details": "The web-push crate before 0.10.3 for Rust allows a denial of service (memory consumption) in the built-in clients via a large integer in a Content-Length header.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53604"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pimeys/rust-web-push/pull/68"
+    },
+    {
+      "type": "WEB",
+      "url": "https://crates.io/crates/web-push"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0015.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-130"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-07-05T01:15:28Z"
+  }
+}

advisories/unreviewed/2025/07/GHSA-78j7-w964-99fc/GHSA-78j7-w964-99fc.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-78j7-w964-99fc",
+  "modified": "2025-07-05T03:30:23Z",
+  "published": "2025-07-05T03:30:23Z",
+  "aliases": [
+    "CVE-2025-53603"
+  ],
+  "details": "In Alinto SOPE SOGo 2.0.2 through 5.12.2, sope-core/NGExtensions/NGHashMap.m allows a NULL pointer dereference and SOGo crash via a request in which a parameter in the query string is a duplicate of a parameter in the POST body.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53603"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Alinto/sope/pull/69"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Alinto/sope/blob/3146fbdb6ff3314e37e5c3682deeeef7d0f32064/sope-core/NGExtensions/NGHashMap.m#L790"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Alinto/sope/compare/SOGo-2.0.1...SOGo-2.0.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2025/07/02/3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-07-05T01:15:27Z"
+  }
+}

advisories/unreviewed/2025/07/GHSA-87hw-q9ch-hcvh/GHSA-87hw-q9ch-hcvh.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-87hw-q9ch-hcvh",
+  "modified": "2025-07-05T03:30:23Z",
+  "published": "2025-07-05T03:30:23Z",
+  "aliases": [
+    "CVE-2024-58254"
+  ],
+  "details": "The rustls crate 0.23.13 before 0.23.18 for Rust, when rustls::server::Acceptor::accept is used, allows a panic via a fragmented TLS ClientHello.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58254"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rustls/rustls/issues/2227"
+    },
+    {
+      "type": "WEB",
+      "url": "https://crates.io/crates/rustls"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0399.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-684"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-07-05T02:15:21Z"
+  }
+}

advisories/unreviewed/2025/07/GHSA-pfxq-29cx-gm9c/GHSA-pfxq-29cx-gm9c.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pfxq-29cx-gm9c",
+  "modified": "2025-07-05T03:30:23Z",
+  "published": "2025-07-05T03:30:23Z",
+  "aliases": [
+    "CVE-2025-47228"
+  ],
+  "details": "In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), shell injection in the SSH connection settings allows authenticated attackers to execute system commands via crafted HTTP requests.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47228"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.scriptcase.net/changelog"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-07-05T03:15:30Z"
+  }
+}

advisories/unreviewed/2025/07/GHSA-rxf6-323f-44fc/GHSA-rxf6-323f-44fc.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rxf6-323f-44fc",
+  "modified": "2025-07-05T03:30:23Z",
+  "published": "2025-07-05T03:30:23Z",
+  "aliases": [
+    "CVE-2025-53605"
+  ],
+  "details": "The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53605"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/stepancheg/rust-protobuf/issues/749"
+    },
+    {
+      "type": "WEB",
+      "url": "https://crates.io/crates/protobuf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0437"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-674"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-07-05T01:15:28Z"
+  }
+}