Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 1899dc03c1be · 2025-07-15T23:06:49.000Z
GHSA-43mq-6xmg-29vm GHSA-92qf-8gh3-gwcm
diff --git a/advisories/github-reviewed/2024/12/GHSA-43mq-6xmg-29vm/GHSA-43mq-6xmg-29vm.json b/advisories/github-reviewed/2024/12/GHSA-43mq-6xmg-29vm/GHSA-43mq-6xmg-29vm.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-43mq-6xmg-29vm",
-  "modified": "2025-04-09T13:52:38Z",
+  "modified": "2025-07-15T23:05:23Z",
   "published": "2024-12-11T18:30:42Z",
   "aliases": [
     "CVE-2024-53677"
   ],
   "summary": "Apache Struts file upload logic is flawed",
   "details": "File upload logic is flawed vulnerability in Apache Struts. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.\n\nThis issue affects Apache Struts: from 2.0.0 before 6.4.0.\n\nUsers are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload. If you are not using an old file upload logic based on FileuploadInterceptor your application is safe.\n\nYou can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067 .",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red"
diff --git a/advisories/github-reviewed/2024/12/GHSA-92qf-8gh3-gwcm/GHSA-92qf-8gh3-gwcm.json b/advisories/github-reviewed/2024/12/GHSA-92qf-8gh3-gwcm/GHSA-92qf-8gh3-gwcm.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-92qf-8gh3-gwcm",
-  "modified": "2024-12-09T20:45:10Z",
+  "modified": "2025-07-15T23:05:03Z",
   "published": "2024-12-09T15:31:37Z",
   "aliases": [
     "CVE-2024-53947"
   ],
   "summary": "Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions",
   "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.\n\nThis issue affects Apache Superset: <4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"
