Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 5ffb532279f5 · 2026-04-14T01:03:13.000Z
GHSA-3vxg-x5f8-f5qf GHSA-4f7c-pmjv-c25w GHSA-xm5m-wgh2-rrg3
diff --git a/advisories/github-reviewed/2026/04/GHSA-3vxg-x5f8-f5qf/GHSA-3vxg-x5f8-f5qf.json b/advisories/github-reviewed/2026/04/GHSA-3vxg-x5f8-f5qf/GHSA-3vxg-x5f8-f5qf.json
@@ -0,0 +1,99 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3vxg-x5f8-f5qf",
+  "modified": "2026-04-14T01:01:17Z",
+  "published": "2026-04-14T01:01:17Z",
+  "aliases": [
+    "CVE-2026-32270"
+  ],
+  "summary": "Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments",
+  "details": "### Summary\n\n`PaymentsController::actionPay` discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment.\n\nThe JSON error response includes the serialized order object (`order`), which contains some sensitive fields such as customer email, shipping address, and billing address.\n\n### Details\n\nI manually audited frontend payment flows and found that `actionPay()` retrieves orders by number before authorization is fully enforced.\n\nCode path:\n\n1. Load order by `number`.\n2. Evaluate whether payment is authorized for completed orders (`number + matching email`).\n3. If unauthorized, return failure.\n4. Failure response still includes `cartArray($order)`, which serializes sensitive order data.\n\nWhy is this a vulnerability?\n\n- Authorization logic says the requester is not allowed to pay for a completed order without an email.\n- But the response still returns the same completed order’s contents.\n\n### Impact\n\nType: Information Disclosure / Broken Access Control\n\nWho is impacted:\n\n- Any Commerce deployment where completed order numbers can be obtained or leaked.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/commerce"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0"
+            },
+            {
+              "fixed": "5.6.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.5.4"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/commerce"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.11.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.10.2"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32270"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/craftcms/commerce"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/commerce/releases/tag/4.11.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/commerce/releases/tag/5.6.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-862"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T01:01:17Z",
+    "nvd_published_at": "2026-04-13T20:16:33Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-4f7c-pmjv-c25w/GHSA-4f7c-pmjv-c25w.json b/advisories/github-reviewed/2026/04/GHSA-4f7c-pmjv-c25w/GHSA-4f7c-pmjv-c25w.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4f7c-pmjv-c25w",
-  "modified": "2026-04-10T18:31:18Z",
+  "modified": "2026-04-14T01:02:41Z",
   "published": "2026-04-10T18:31:18Z",
   "aliases": [
     "CVE-2026-40021"
   ],
+  "summary": "Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters",
   "details": "Apache Log4net's  XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list  and  XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event.\n\nAn attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.\n\nUsers are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "log4net"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.3.0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/apache/logging-log4net/pull/280"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/logging-log4net"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/q8otftjswhk69n3kxslqg7cobr0x4st7"
@@ -49,8 +74,8 @@
       "CWE-116"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T01:02:41Z",
     "nvd_published_at": "2026-04-10T16:16:32Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-xm5m-wgh2-rrg3/GHSA-xm5m-wgh2-rrg3.json b/advisories/github-reviewed/2026/04/GHSA-xm5m-wgh2-rrg3/GHSA-xm5m-wgh2-rrg3.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xm5m-wgh2-rrg3",
+  "modified": "2026-04-14T01:01:59Z",
+  "published": "2026-04-14T01:01:59Z",
+  "aliases": [
+    "CVE-2026-39984"
+  ],
+  "summary": "Sigstore Timestamp Authority has Improper Certificate Validation in verifier",
+  "details": "### Authorization bypass via certificate bag manipulation in sigstore/timestamp-authority verifier\n\nAn authorization bypass vulnerability exists in sigstore/timestamp-authority verifier (timestamp-authority/v2/pkg/verification): `VerifyTimestampResponse` function correctly verifies the certificate chain but when the TSA specific constraints are verified in `VerifyLeafCert`, the first non-CA certificate from the PKCS#7 certificate bag is used instead of the leaf certificate from the certificate chain. An attacker can exploit this by prepending a forged certificate to the certificate bag while the message is signed with an authorized key. The library validates the signature using the one certificate but performs authorization checks on the another, allowing an attacker to bypass some authorization controls. \n\nThis vulnerability does **not** apply to timestamp-authority service, only to users of `timestamp-authority/v2/pkg/verification` package.\n\nThis vulnerability does **not** apply to sigstore-go even though it is a user of `timestamp-authority/v2/pkg/verification`: Providing `TSACertificate` option to  `VerifyTimestampResponse` fully mitigates the issue.\n\n\n### Patches\n\nThe issue will be fixed in timestamp-authority 2.0.6\n\n### Workarounds\n\nUsers of `VerifyTimestampResponse` can use the `TSACertificate` option to specify the exact certificate they expect to be used: this fully mitigates the issue.\n\n### References\n\nThis issue was found after reading CVE-2026-33753 / GHSA-3xxc-pwj6-jgrj (originally reported by @Jaynornj and @Pr00fOf3xpl0it)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/sigstore/timestamp-authority/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.6"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.0.5"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-xm5m-wgh2-rrg3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/sigstore/timestamp-authority"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T01:01:59Z",
+    "nvd_published_at": null
+  }
+}
