Publish Advisories

GHSA-2jx2-cgj2-48wc
GHSA-4wg5-h4j2-p56c
GHSA-568g-56p5-cj7r
GHSA-c8jf-qq3r-v2h7
GHSA-jm7r-f6p7-h29v
GHSA-m3rx-6qww-mhm3

Author: advisory-database[bot]

advisories/unreviewed/2025/05/GHSA-2jx2-cgj2-48wc/GHSA-2jx2-cgj2-48wc.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2jx2-cgj2-48wc",
+  "modified": "2025-05-23T00:30:19Z",
+  "published": "2025-05-23T00:30:19Z",
+  "aliases": [
+    "CVE-2025-4338"
+  ],
+  "details": "Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4338"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.lantronix.com/products/lantronix-provisioning-manager"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-611"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-22T23:15:19Z"
+  }
+}

advisories/unreviewed/2025/05/GHSA-4wg5-h4j2-p56c/GHSA-4wg5-h4j2-p56c.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4wg5-h4j2-p56c",
+  "modified": "2025-05-23T00:30:19Z",
+  "published": "2025-05-23T00:30:19Z",
+  "aliases": [
+    "CVE-2025-4642"
+  ],
+  "details": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4642"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-22T23:15:19Z"
+  }
+}

advisories/unreviewed/2025/05/GHSA-568g-56p5-cj7r/GHSA-568g-56p5-cj7r.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-568g-56p5-cj7r",
+  "modified": "2025-05-23T00:30:19Z",
+  "published": "2025-05-23T00:30:19Z",
+  "aliases": [
+    "CVE-2025-4975"
+  ],
+  "details": "When a notification relating to low battery appears for a user with whom the device has been shared, tapping the notification grants full access to the power settings of that device.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4975"
+    },
+    {
+      "type": "WEB",
+      "url": "https://play.google.com/store/apps/details?id=com.tplink.iot&hl=en_US"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/us/support/faq/4464"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-269"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-22T22:15:31Z"
+  }
+}

advisories/unreviewed/2025/05/GHSA-c8jf-qq3r-v2h7/GHSA-c8jf-qq3r-v2h7.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c8jf-qq3r-v2h7",
+  "modified": "2025-05-23T00:30:20Z",
+  "published": "2025-05-23T00:30:19Z",
+  "aliases": [
+    "CVE-2025-4692"
+  ],
+  "details": "Actors can use a maliciously crafted JavaScript object notation (JSON) web token (JWT) to perform privilege escalation by submitting the malicious JWT to a vulnerable method exposed on the cloud platform. If the exploit is successful, the user can escalate privileges to access any device managed by the \n\nABUP Cloud Update Platform.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4692"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-23T00:15:20Z"
+  }
+}

advisories/unreviewed/2025/05/GHSA-jm7r-f6p7-h29v/GHSA-jm7r-f6p7-h29v.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jm7r-f6p7-h29v",
+  "modified": "2025-05-23T00:30:19Z",
+  "published": "2025-05-23T00:30:19Z",
+  "aliases": [
+    "CVE-2025-4562"
+  ],
+  "details": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4562"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-22T23:15:19Z"
+  }
+}

advisories/unreviewed/2025/05/GHSA-m3rx-6qww-mhm3/GHSA-m3rx-6qww-mhm3.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m3rx-6qww-mhm3",
+  "modified": "2025-05-23T00:30:19Z",
+  "published": "2025-05-23T00:30:19Z",
+  "aliases": [
+    "CVE-2025-47181"
+  ],
+  "details": "Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47181"
+    },
+    {
+      "type": "WEB",
+      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47181"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-59"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-05-22T22:15:30Z"
+  }
+}