From ba4218cbeccbec66a367dcf7ca4a7f6b181caa89 Mon Sep 17 00:00:00 2001
From: "advisory-database[bot]"
 <45398580+advisory-database[bot]@users.noreply.github.com>
Date: Sat, 28 Dec 2024 21:32:12 +0000
Subject: [PATCH] Publish Advisories

GHSA-567c-gxmx-3pq9
GHSA-9rf3-44g3-h94q
GHSA-c893-4f2j-x5ch
GHSA-j7jv-x682-58fv
GHSA-jphx-whwm-8gpv
GHSA-p676-v935-rjvf
---
 .../GHSA-567c-gxmx-3pq9/GHSA-567c-gxmx-3pq9.json  | 15 +++++++++++----
 .../GHSA-9rf3-44g3-h94q/GHSA-9rf3-44g3-h94q.json  | 15 +++++++++++----
 .../GHSA-c893-4f2j-x5ch/GHSA-c893-4f2j-x5ch.json  | 15 +++++++++++----
 .../GHSA-j7jv-x682-58fv/GHSA-j7jv-x682-58fv.json  | 15 +++++++++++----
 .../GHSA-jphx-whwm-8gpv/GHSA-jphx-whwm-8gpv.json  | 15 +++++++++++----
 .../GHSA-p676-v935-rjvf/GHSA-p676-v935-rjvf.json  | 15 +++++++++++----
 6 files changed, 66 insertions(+), 24 deletions(-)

diff --git a/advisories/unreviewed/2024/12/GHSA-567c-gxmx-3pq9/GHSA-567c-gxmx-3pq9.json b/advisories/unreviewed/2024/12/GHSA-567c-gxmx-3pq9/GHSA-567c-gxmx-3pq9.json
index 215c7a77c528f..612f47c81d30c 100644
--- a/advisories/unreviewed/2024/12/GHSA-567c-gxmx-3pq9/GHSA-567c-gxmx-3pq9.json
+++ b/advisories/unreviewed/2024/12/GHSA-567c-gxmx-3pq9/GHSA-567c-gxmx-3pq9.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-567c-gxmx-3pq9",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-50945"
   ],
   "details": "An improper access control vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, allowing users to submit reviews without verifying if they have purchased the product.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T19:15:08Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-9rf3-44g3-h94q/GHSA-9rf3-44g3-h94q.json b/advisories/unreviewed/2024/12/GHSA-9rf3-44g3-h94q/GHSA-9rf3-44g3-h94q.json
index 43d9bd3bda049..b3dca3d652b47 100644
--- a/advisories/unreviewed/2024/12/GHSA-9rf3-44g3-h94q/GHSA-9rf3-44g3-h94q.json
+++ b/advisories/unreviewed/2024/12/GHSA-9rf3-44g3-h94q/GHSA-9rf3-44g3-h94q.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9rf3-44g3-h94q",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-54450"
   ],
   "details": "An issue was discovered in Kurmi Provisioning Suite 7.9.0.33. If an X-Forwarded-For header is received during authentication, the Kurmi application will record the (possibly forged) IP address mentioned in that header rather than the real IP address that the user logged in from. This fake IP address can later be displayed in the My Account popup that shows the IP address that was used to log in.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-290"
+    ],
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T20:15:23Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-c893-4f2j-x5ch/GHSA-c893-4f2j-x5ch.json b/advisories/unreviewed/2024/12/GHSA-c893-4f2j-x5ch/GHSA-c893-4f2j-x5ch.json
index 2b07016aa2c52..88f64548df09c 100644
--- a/advisories/unreviewed/2024/12/GHSA-c893-4f2j-x5ch/GHSA-c893-4f2j-x5ch.json
+++ b/advisories/unreviewed/2024/12/GHSA-c893-4f2j-x5ch/GHSA-c893-4f2j-x5ch.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c893-4f2j-x5ch",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-50944"
   ],
   "details": "Integer overflow vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f in the shopping cart functionality. The issue lies in the quantity parameter in the CartController's AddToCart method.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-190"
+    ],
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T19:15:08Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-j7jv-x682-58fv/GHSA-j7jv-x682-58fv.json b/advisories/unreviewed/2024/12/GHSA-j7jv-x682-58fv/GHSA-j7jv-x682-58fv.json
index 020deab3dabd2..5dc231d22ffcc 100644
--- a/advisories/unreviewed/2024/12/GHSA-j7jv-x682-58fv/GHSA-j7jv-x682-58fv.json
+++ b/advisories/unreviewed/2024/12/GHSA-j7jv-x682-58fv/GHSA-j7jv-x682-58fv.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j7jv-x682-58fv",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-54452"
   ],
   "details": "An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35 and 7.10.x through 7.10.0.18. A Directory Traversal and Local File Inclusion vulnerability in the logsSys.do page allows remote attackers (authenticated as administrators) to trigger the display of unintended files. Any file accessible to the Kurmi user account could be displayed, e.g., configuration files with information such as the database password.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T20:15:23Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-jphx-whwm-8gpv/GHSA-jphx-whwm-8gpv.json b/advisories/unreviewed/2024/12/GHSA-jphx-whwm-8gpv/GHSA-jphx-whwm-8gpv.json
index 49456269a4486..f0b1fe601d115 100644
--- a/advisories/unreviewed/2024/12/GHSA-jphx-whwm-8gpv/GHSA-jphx-whwm-8gpv.json
+++ b/advisories/unreviewed/2024/12/GHSA-jphx-whwm-8gpv/GHSA-jphx-whwm-8gpv.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jphx-whwm-8gpv",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-53476"
   ],
   "details": "A race condition vulnerability in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f allows attackers to bypass inventory restrictions by simultaneously submitting purchase requests from multiple accounts for the same product. This can lead to overselling when stock is limited, as the system fails to accurately track inventory under high concurrency, resulting in potential loss and unfulfilled orders.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T19:15:09Z"
diff --git a/advisories/unreviewed/2024/12/GHSA-p676-v935-rjvf/GHSA-p676-v935-rjvf.json b/advisories/unreviewed/2024/12/GHSA-p676-v935-rjvf/GHSA-p676-v935-rjvf.json
index 455d6cb06a225..da595fd6faf1d 100644
--- a/advisories/unreviewed/2024/12/GHSA-p676-v935-rjvf/GHSA-p676-v935-rjvf.json
+++ b/advisories/unreviewed/2024/12/GHSA-p676-v935-rjvf/GHSA-p676-v935-rjvf.json
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p676-v935-rjvf",
-  "modified": "2024-12-27T21:30:30Z",
+  "modified": "2024-12-28T21:30:26Z",
   "published": "2024-12-27T21:30:30Z",
   "aliases": [
     "CVE-2024-54451"
   ],
   "details": "A cross-site scripting (XSS) vulnerability in the graphicCustomization.do page in Kurmi Provisioning Suite before 7.9.0.38, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15 allows remote attackers (authenticated as system administrators) to inject arbitrary web script or HTML via the COMPONENT_fields(htmlTitle) field, which is rendered in other pages of the application for all users (if the graphical customization has been activated by a super-administrator).",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-12-27T20:15:23Z"