Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-26gm-rmpq-m43w/GHSA-26gm-rmpq-m43w.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-26gm-rmpq-m43w",
+  "modified": "2026-03-06T15:31:29Z",
+  "published": "2026-03-06T15:31:28Z",
+  "aliases": [
+    "CVE-2018-25164"
+  ],
+  "details": "EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25164"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/45868"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/eversync-arbitrary-file-download-via-files-directory"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-552"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T13:15:57Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-2fgj-jm2w-7gj4/GHSA-2fgj-jm2w-7gj4.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2fgj-jm2w-7gj4",
+  "modified": "2026-03-06T15:31:30Z",
+  "published": "2026-03-06T15:31:29Z",
+  "aliases": [
+    "CVE-2018-25198"
+  ],
+  "details": "eToolz 3.4.8.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying oversized input buffers. Attackers can create a payload file containing 255 bytes of data that triggers a buffer overflow condition when processed by the application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25198"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/45797"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/etoolz-denial-of-service-via-buffer-overflow"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T13:16:03Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-2jpw-jp56-mgr2/GHSA-2jpw-jp56-mgr2.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2jpw-jp56-mgr2",
+  "modified": "2026-03-06T15:31:29Z",
+  "published": "2026-03-06T15:31:29Z",
+  "aliases": [
+    "CVE-2018-25167"
+  ],
+  "details": "Net-Billetterie 2.9 contains an SQL injection vulnerability in the login parameter of login.inc.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit malicious SQL code through the login POST parameter to extract database information including usernames, passwords, and system credentials.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25167"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/45863"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/net-billetterie-sql-injection-via-loginincphp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T13:15:57Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-2p4h-vppg-wjv6/GHSA-2p4h-vppg-wjv6.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2p4h-vppg-wjv6",
+  "modified": "2026-03-06T15:31:29Z",
+  "published": "2026-03-06T15:31:28Z",
+  "aliases": [
+    "CVE-2018-25163"
+  ],
+  "details": "BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rollno and username parameters in forgot.php and login.php. Attackers can submit crafted POST requests with SQL UNION statements to extract database schema information and table contents from the application database.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25163"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/45862"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/bitzoom-sql-injection-via-rollno-parameter"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T13:15:56Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-32f3-8mjf-7qcp/GHSA-32f3-8mjf-7qcp.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-32f3-8mjf-7qcp",
+  "modified": "2026-03-06T15:31:29Z",
+  "published": "2026-03-06T15:31:29Z",
+  "aliases": [
+    "CVE-2018-25182"
+  ],
+  "details": "Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. Attackers can send GET requests to wcategory.php with crafted SQL payloads in the ID parameter to extract database table names and sensitive information from the database.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25182"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/45838"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/silurus-classifieds-script-sql-injection-via-wcategoryphp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T13:16:00Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-3fcc-mgw7-7h97/GHSA-3fcc-mgw7-7h97.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3fcc-mgw7-7h97",
-  "modified": "2026-03-05T06:30:27Z",
+  "modified": "2026-03-06T15:31:28Z",
   "published": "2026-03-05T06:30:27Z",
   "aliases": [
     "CVE-2026-28021"
   ],
   "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Craftis craftis allows PHP Local File Inclusion.This issue affects Craftis: from n/a through <= 1.2.8.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-98"
     ],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-05T06:16:34Z"

advisories/unreviewed/2026/03/GHSA-3p4m-8hwx-8h8x/GHSA-3p4m-8hwx-8h8x.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3p4m-8hwx-8h8x",
-  "modified": "2026-03-05T06:30:28Z",
+  "modified": "2026-03-06T15:31:28Z",
   "published": "2026-03-05T06:30:28Z",
   "aliases": [
     "CVE-2026-28042"
   ],
   "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Listify listify allows Reflected XSS.This issue affects Listify: from n/a through <= 3.2.5.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-05T06:16:37Z"

advisories/unreviewed/2026/03/GHSA-3ppf-8w6r-xfwh/GHSA-3ppf-8w6r-xfwh.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3ppf-8w6r-xfwh",
+  "modified": "2026-03-06T15:31:29Z",
+  "published": "2026-03-06T15:31:29Z",
+  "aliases": [
+    "CVE-2018-25174"
+  ],
+  "details": "ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. Attackers can craft malicious forms or links containing parameters like usuario, contrasena1, contrasena2, nombre, and email to change admin account settings without authentication.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25174"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/45836"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/abc-erp-cross-site-request-forgery-via-configurar-perfilphp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T13:15:59Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-462c-5jmq-4hmm/GHSA-462c-5jmq-4hmm.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-462c-5jmq-4hmm",
+  "modified": "2026-03-06T15:31:29Z",
+  "published": "2026-03-06T15:31:28Z",
+  "aliases": [
+    "CVE-2018-25165"
+  ],
+  "details": "Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'type' parameter. Attackers can send POST requests to ads.php with crafted SQL payloads in the type parameter to extract sensitive database information including usernames, databases, and version details.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25165"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.exploit-db.com/exploits/45864"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/galaxy-forces-mmorpg-sql-injection-via-adsphp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-06T13:15:57Z"
+  }
+}