Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit ba4218cbeccb · 2024-12-28T21:32:12.000Z
GHSA-567c-gxmx-3pq9 GHSA-9rf3-44g3-h94q GHSA-c893-4f2j-x5ch GHSA-j7jv-x682-58fv GHSA-jphx-whwm-8gpv GHSA-p676-v935-rjvf
diff --git a/advisories/unreviewed/2024/12/GHSA-567c-gxmx-3pq9/GHSA-567c-gxmx-3pq9.json b/advisories/unreviewed/2024/12/GHSA-567c-gxmx-3pq9/GHSA-567c-gxmx-3pq9.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-567c-gxmx-3pq9",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-50945"
   ],
   "details": "An improper access control vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, allowing users to submit reviews without verifying if they have purchased the product.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T19:15:08Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-9rf3-44g3-h94q/GHSA-9rf3-44g3-h94q.json b/advisories/unreviewed/2024/12/GHSA-9rf3-44g3-h94q/GHSA-9rf3-44g3-h94q.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9rf3-44g3-h94q",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-54450"
   ],
   "details": "An issue was discovered in Kurmi Provisioning Suite 7.9.0.33. If an X-Forwarded-For header is received during authentication, the Kurmi application will record the (possibly forged) IP address mentioned in that header rather than the real IP address that the user logged in from. This fake IP address can later be displayed in the My Account popup that shows the IP address that was used to log in.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-290"
+    ],
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T20:15:23Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-c893-4f2j-x5ch/GHSA-c893-4f2j-x5ch.json b/advisories/unreviewed/2024/12/GHSA-c893-4f2j-x5ch/GHSA-c893-4f2j-x5ch.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c893-4f2j-x5ch",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-50944"
   ],
   "details": "Integer overflow vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f in the shopping cart functionality. The issue lies in the quantity parameter in the CartController's AddToCart method.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-190"
+    ],
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T19:15:08Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-j7jv-x682-58fv/GHSA-j7jv-x682-58fv.json b/advisories/unreviewed/2024/12/GHSA-j7jv-x682-58fv/GHSA-j7jv-x682-58fv.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j7jv-x682-58fv",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-54452"
   ],
   "details": "An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35 and 7.10.x through 7.10.0.18. A Directory Traversal and Local File Inclusion vulnerability in the logsSys.do page allows remote attackers (authenticated as administrators) to trigger the display of unintended files. Any file accessible to the Kurmi user account could be displayed, e.g., configuration files with information such as the database password.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T20:15:23Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-jphx-whwm-8gpv/GHSA-jphx-whwm-8gpv.json b/advisories/unreviewed/2024/12/GHSA-jphx-whwm-8gpv/GHSA-jphx-whwm-8gpv.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jphx-whwm-8gpv",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-53476"
   ],
   "details": "A race condition vulnerability in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f allows attackers to bypass inventory restrictions by simultaneously submitting purchase requests from multiple accounts for the same product. This can lead to overselling when stock is limited, as the system fails to accurately track inventory under high concurrency, resulting in potential loss and unfulfilled orders.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T19:15:09Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-p676-v935-rjvf/GHSA-p676-v935-rjvf.json b/advisories/unreviewed/2024/12/GHSA-p676-v935-rjvf/GHSA-p676-v935-rjvf.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p676-v935-rjvf",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-54451"
   ],
   "details": "A cross-site scripting (XSS) vulnerability in the graphicCustomization.do page in Kurmi Provisioning Suite before 7.9.0.38, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15 allows remote attackers (authenticated as system administrators) to inject arbitrary web script or HTML via the COMPONENT_fields(htmlTitle) field, which is rendered in other pages of the application for all users (if the graphical customization has been activated by a super-administrator).",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T20:15:23Z"
