Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 63ec8014ab98 · 2025-05-06T18:55:08.000Z
GHSA-hp88-hfjw-2hg4 GHSA-2544-hpcq-6g27 GHSA-f7jh-m6wp-jm7f GHSA-hp88-hfjw-2hg4
diff --git a/advisories/github-reviewed/2025/03/GHSA-hp88-hfjw-2hg4/GHSA-hp88-hfjw-2hg4.json b/advisories/github-reviewed/2025/03/GHSA-hp88-hfjw-2hg4/GHSA-hp88-hfjw-2hg4.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hp88-hfjw-2hg4",
+  "modified": "2025-05-06T18:51:17Z",
+  "published": "2025-03-28T15:31:56Z",
+  "withdrawn": "2025-05-06T18:51:17Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store",
+  "details": "# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-f7jh-m6wp-jm7f. This link is maintained to preserve external references.\n\n# Original Description\n\nA flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jboss.hal:hal-console"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.7.11.Final"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2901"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-2901"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355685"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/hal/console"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-05-06T18:51:17Z",
+    "nvd_published_at": "2025-03-28T14:15:22Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/05/GHSA-2544-hpcq-6g27/GHSA-2544-hpcq-6g27.json b/advisories/github-reviewed/2025/05/GHSA-2544-hpcq-6g27/GHSA-2544-hpcq-6g27.json
@@ -1,26 +1,47 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2544-hpcq-6g27",
-  "modified": "2025-05-06T15:31:04Z",
+  "modified": "2025-05-06T18:51:10Z",
   "published": "2025-05-05T21:31:28Z",
   "aliases": [
     "CVE-2025-29573"
   ],
+  "summary": "Mezzanine CMS Cross-Site Scripting (XSS) vulnerability",
   "details": "Cross-Site Scripting (XSS) vulnerability exists in Mezzanine CMS 6.0.0 in the \"View Entries\" feature within the Forms module.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "Mezzanine"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "6.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29573"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/stephenmcd/mezzanine"
     },
     {
@@ -33,8 +54,8 @@
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-05-06T18:51:10Z",
     "nvd_published_at": "2025-05-05T19:15:55Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/05/GHSA-f7jh-m6wp-jm7f/GHSA-f7jh-m6wp-jm7f.json b/advisories/github-reviewed/2025/05/GHSA-f7jh-m6wp-jm7f/GHSA-f7jh-m6wp-jm7f.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f7jh-m6wp-jm7f",
+  "modified": "2025-05-06T18:51:27Z",
+  "published": "2025-05-06T18:51:27Z",
+  "aliases": [
+    "CVE-2025-2901"
+  ],
+  "summary": "HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store",
+  "details": "A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities.\n\n### Impact\nCross-site scripting (XSS) vulnerability in the management console.\n\n### Patches\nFixed in [HAL 3.7.11.Final](https://github.com/hal/console/releases/tag/v3.7.11)\n\n### Workarounds\nNo workaround available",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jboss.hal:hal-console"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.7.11.Final"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/hal/console/security/advisories/GHSA-f7jh-m6wp-jm7f"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2901"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/hal/console/commit/216de3b8aa82ea92df10cc296d88c68467cf2c52"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-2901"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355685"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/hal/console"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/hal/console/releases/tag/v3.7.11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-05-06T18:51:27Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/unreviewed/2025/03/GHSA-hp88-hfjw-2hg4/GHSA-hp88-hfjw-2hg4.json b/advisories/unreviewed/2025/03/GHSA-hp88-hfjw-2hg4/GHSA-hp88-hfjw-2hg4.json
