From c0c2ea86d066aeba6a02473ca5b540e65e6ad471 Mon Sep 17 00:00:00 2001 From: ghost Date: Thu, 4 Dec 2025 07:22:21 +0000 Subject: [PATCH] =?UTF-8?q?chore:=20generate=20CVEs=20metadata=20?= =?UTF-8?q?=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves.json | 1 + cves.json-checksum.txt | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cves.json b/cves.json index 618e82a8d2d..83887bb4c6d 100644 --- a/cves.json +++ b/cves.json @@ -3430,6 +3430,7 @@ {"ID":"CVE-2025-46822","Info":{"Name":"Java-springboot-codebase 1.1 - Arbitrary File Read","Severity":"high","Description":"OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path traversal mechanisms make absolute path traversal possible. This vulnerability allows unauthorized access to sensitive internal files. Commit c835c6f7799eacada4c0fc77e0816f250af01ad2 contains a patch for the issue.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2025/CVE-2025-46822.yaml"} {"ID":"CVE-2025-47204","Info":{"Name":"Bootstrap Multiselect \u003c= 1.1.2 - Cross-Site Scripting","Severity":"medium","Description":"A PHP script in the source code release echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2025/CVE-2025-47204.yaml"} {"ID":"CVE-2025-47423","Info":{"Name":"Personal Weather Station Dashboard 12 - Directory Traversal","Severity":"high","Description":"Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.\n","Classification":{"CVSSScore":"5.8"}},"file_path":"http/cves/2025/CVE-2025-47423.yaml"} +{"ID":"CVE-2025-47445","Info":{"Name":"WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download","Severity":"high","Description":"Themewinter Eventin contains a path traversal caused by relative path manipulation, letting attackers access arbitrary files on the server, exploit requires no specific privileges or user interaction.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2025/CVE-2025-47445.yaml"} {"ID":"CVE-2025-47539","Info":{"Name":"Eventin \u003c= 4.0.26 - Privilege Escalation","Severity":"critical","Description":"The Eventin WordPress plugin before 4.0.27 suffers from an unauthenticated privilege escalation vulnerability. Due to a missing permission check in the a REST API endpoint, unauthenticated attackers can import users with arbitrary roles, including administrator, leading to full site compromise.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2025/CVE-2025-47539.yaml"} {"ID":"CVE-2025-47646","Info":{"Name":"PSW Front-end Login \u0026 Registration 1.13 - Weak Password Recovery","Severity":"critical","Description":"PSW Front-end Login \u0026 Registration plugin for WordPress contains a weak password recovery mechanism that can be exploited by unauthenticated attackers. This vulnerability affects versions through 1.13 and allows attackers to potentially gain unauthorized access.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2025/CVE-2025-47646.yaml"} {"ID":"CVE-2025-47812","Info":{"Name":"Wing FTP Server \u003c= 7.4.3 - Remote Code Execution","Severity":"critical","Description":"Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) flaw (CVE-2025-47812).\nThe vulnerability arises from improper NULL byte handling in the 'username' parameter during login, which allows Lua code injection\ninto session files. These injected session files are executed when accessing authenticated endpoints such as /dir.html, resulting\nin arbitrary command execution with elevated privileges. This attack is possible only when anonymous login is enabled on the server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2025/CVE-2025-47812.yaml"} diff --git a/cves.json-checksum.txt b/cves.json-checksum.txt index 85ce94db56b..4a4fa5d93ca 100644 --- a/cves.json-checksum.txt +++ b/cves.json-checksum.txt @@ -1 +1 @@ -d17fd44e8d28eeee06d2e5ea03ff4e76 +f3c7567e80e07c311578c63f69d2c3c4