Publish Advisories

GHSA-2g2c-ch77-q38g
GHSA-464j-7q34-j9w2
GHSA-549v-4675-2339
GHSA-6cqp-frfr-84vg
GHSA-9pr9-9ph6-wc7m

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-2g2c-ch77-q38g/GHSA-2g2c-ch77-q38g.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2g2c-ch77-q38g",
+  "modified": "2025-10-13T00:30:13Z",
+  "published": "2025-10-13T00:30:13Z",
+  "aliases": [
+    "CVE-2025-11649"
+  ],
+  "details": "A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. The affected element is an unknown function of the component Root Account Handler. Performing manipulation results in use of hard-coded password. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11649"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Hardcoded-Password.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.328060"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.328060"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.662769"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-12T23:15:32Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-464j-7q34-j9w2/GHSA-464j-7q34-j9w2.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-464j-7q34-j9w2",
+  "modified": "2025-10-13T00:30:13Z",
+  "published": "2025-10-13T00:30:13Z",
+  "aliases": [
+    "CVE-2025-11651"
+  ],
+  "details": "A vulnerability has been found in UTT 进取 518G up to V3v3.2.7-210919-161313. This vulnerability affects the function sub_4247AC of the file /goform/formRemoteControl. The manipulation of the argument Profile leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11651"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cymiao1978/cve/blob/main/13.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cymiao1978/cve/blob/main/13.md#poc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.328068"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.328068"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.664925"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-13T00:15:33Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-549v-4675-2339/GHSA-549v-4675-2339.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-549v-4675-2339",
+  "modified": "2025-10-13T00:30:13Z",
+  "published": "2025-10-13T00:30:13Z",
+  "aliases": [
+    "CVE-2025-11648"
+  ],
+  "details": "A vulnerability has been found in Tomofun Furbo 360 and Furbo Mini. Impacted is an unknown function of the file TF_FQDN.json of the component GATT Interface URL Handler. Such manipulation leads to server-side request forgery. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11648"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/SSRF-via-BLE.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.328059"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.328059"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.662768"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-12T22:15:33Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-6cqp-frfr-84vg/GHSA-6cqp-frfr-84vg.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6cqp-frfr-84vg",
+  "modified": "2025-10-13T00:30:13Z",
+  "published": "2025-10-13T00:30:13Z",
+  "aliases": [
+    "CVE-2025-11650"
+  ],
+  "details": "A vulnerability was determined in Tomofun Furbo 360 and Furbo Mini. The impacted element is an unknown function of the file /etc/shadow of the component Password Handler. Executing manipulation can lead to use of weak hash. The physical device can be targeted for the attack. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been publicly disclosed and may be utilized. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11650"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure-Encryption-Algorithm.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.328061"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.328061"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.662771"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-327"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-12T23:15:32Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-9pr9-9ph6-wc7m/GHSA-9pr9-9ph6-wc7m.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9pr9-9ph6-wc7m",
+  "modified": "2025-10-13T00:30:13Z",
+  "published": "2025-10-13T00:30:13Z",
+  "aliases": [
+    "CVE-2025-11647"
+  ],
+  "details": "A flaw has been found in Tomofun Furbo 360 and Furbo Mini. This issue affects some unknown processing of the component GATT Service. This manipulation of the argument DeviceToken causes information disclosure. The attack is only possible within the local network. A high degree of complexity is needed for the attack. The exploitability is assessed as difficult. The exploit has been published and may be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11647"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Information-Disclosure-DeviceToken.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.328058"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.328058"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.662767"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-12T22:15:32Z"
+  }
+}