Publish GHSA-vjcx-2xxh-mc9h

advisory-database[bot] · advisory-database[bot] · commit 55cb6d227a3f · 2025-12-13T03:32:00.000Z
diff --git a/advisories/unreviewed/2025/12/GHSA-vjcx-2xxh-mc9h/GHSA-vjcx-2xxh-mc9h.json b/advisories/unreviewed/2025/12/GHSA-vjcx-2xxh-mc9h/GHSA-vjcx-2xxh-mc9h.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vjcx-2xxh-mc9h",
+  "modified": "2025-12-13T03:30:10Z",
+  "published": "2025-12-13T03:30:10Z",
+  "aliases": [
+    "CVE-2025-13970"
+  ],
+  "details": "OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack \ndue to the absence of proper CSRF validation. This issue allows an \nunauthenticated attacker to trick a logged-in administrator into \nvisiting a maliciously crafted link, potentially enabling unauthorized \nmodification of PLC settings or the upload of malicious programs which \ncould lead to significant disruption or damage to connected systems.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13970"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-345-10.json"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thiagoralves/OpenPLC_v3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-13T01:15:51Z"
+  }
+}
