#java

This vulnerability could allow an attacker to store a malicious JavaScript payload in the login footer and login page description parameters within the administration panel.

SAP Enable Now Manager version 10.6.5 Build 2804 Cloud Edition suffers from cross site request forgery, cross site scripting, and open redirection vulnerabilities.

Apple Security Advisory 09-26-2023-1 - Safari 17 addresses code execution and spoofing vulnerabilities.

Nearly three dozen counterfeit packages have been discovered in the npm package repository that are designed to exfiltrate sensitive data from developer systems, according to findings from Fortinet FortiGuard Labs. One set of packages – named @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable – harbored an obfuscated

A stored XSS vulnerability has been found on BuddyBoss Platform affecting version 2.2.9. This vulnerability allows an attacker to store a malicious javascript payload via POST request when sending an invitation.

Cross-Site Request Forgery (CSRF) vulnerability in NXLog Manager 5.6.5633 version. This vulnerability allows an attacker to eliminate roles within the platform by sending a specifically crafted query to the server. The vulnerability is based on the absence of proper validation of the origin of incoming requests.

By Waqas There are over 17 million developers worldwide who use NPM packages, making it a lucrative target for cybercriminals. This is a post from HackRead.com Read the original post: FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data

## Impact **Use of Open Source Library potentially exposed to RCE** **Issue**: Use of a version of the SnakeYAML `v1.31 `open source library with multiple issues that potentially exposes the user to unsafe deserialization of Java objects. This could allow third parties to execute arbitrary code on the target system. This issue is present in versions `0.3.0` to `0.8.1`. **Mitigation**: A pull request to address this issue has been merged - https://github.com/pytorch/serve/pull/2523. TorchServe release `0.8.2` includes this fix. ## Patches ## TorchServe release 0.8.2 includes fixes to address the previously listed issue: https://github.com/pytorch/serve/releases/tag/v0.8.2 **Tags for upgraded DLC release** User can use the following new image tags to pull DLCs that ship with patched TorchServe version 0.8.2: x86 GPU * v1.9-pt-ec2-2.0.1-inf-gpu-py310 * v1.8-pt-sagemaker-2.0.1-inf-gpu-py310 x86 CPU * v1.8-pt-ec2-2.0.1-inf-cpu-py310 * v1.7-pt-sagemaker-2.0.1-inf-cpu-py310 G...

Electrolink FM/DAB/TV Transmitter allows access to an unprotected endpoint that allows an MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.

Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request.