Tag
#apache
Simple Exam Reviewer Management System v1.0 is vulnerable to Insecure file upload.
Categories: Exploits and vulnerabilities Categories: News Tags: Log4Text Tags: Apache Tags: Commons Text Tags: CVE-2022-42889 Tags: Log4j Tags: Log4Shell Tags: interpolators Log4Text is a recently found vulnerability in Apache Commons. Log4Text provoked a knee jerk reaction because it reminds us of Log4Shell. So should we worry? (Read more...) The post Why Log4Text is not another Log4Shell appeared first on Malwarebytes Labs.
The deployment script in the unsupported "OpenShift Extras" set of add-on scripts, in Red Hat Openshift 1, installs a default public key in the root user's authorized_keys file.
Experts say CVE-2022-42899 is a serious vulnerability, but widespread exploitation is unlikely because of the specific conditions that need to exist for it to happen.
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of 2.0.0-M8, this can now be done using the `isis.prototyping.h2-console.web-allow-remote-access` configuration property; the web console will be unavailable without setting this configuration. As an additional safeguard, the new `isis.prototyping.h2-console.generate-random-web-admin-password` configuration parameter (enabled by default) requires that the administrator use a randomly generated password to use the console. The password is printed to the log, as `webAdminPass: xxx` (where `xxx`) is the password. To revert to the original behaviour, the administrator would therefore need to set these configuration parameter: `isis.prototyping.h2-console.web-allow-remote-access=true isis.prototyping.h2-console.generate-rando...
Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release, the inputted strings are properly escaped when rendered.
Log4Shell-like bug is serious but less dangerous than notorious Log4j vulnerability
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.