Tag
#java
A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable from adjacent network/low attack complexity Vendor: Siemens Equipment: SIMATIC PCS neo Vulnerabilities: Missing Authentication for Critical Function, SQL Injection, Permissive Cross-domain Policy with Untrusted Domains, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an unauthenticated adjacent attacker to generate a privileged token and upload additional documents, execute SQL statements, trick a legitimate user to trigger unwanted behavior, and inject Javascript code into the application that is later executed by another legitimate user. 3. TECHNICAL DETAILS...
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Siemens Equipment: COMOS Vulnerabilities: Improper Restriction of XML External Entity Reference, Path Traversal, Out-of-bounds Write, Out-of-bounds Read, Integer Overflow or Wraparound, Use After Free, Heap-based Buffer Overflow, Cleartext Transmission of Sensitive Information, Classic Buffer Overflow, Improper Access Control 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, data infiltration, or perform access control violations. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODU...
An issue in PublicCMS v.4.0.202302.e allows a remote attacker to obtain sensitive information via the appToken and Parameters parameter of the api/method/getHtml component.
A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.
xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /xxl-job-admin/joblog/logDetailPage.
In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing.
A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.
Red Hat Security Advisory 2023-7205-01 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.