#java

DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions Unauthorized users can delete an application erroneously. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. Affected versions of DataEase has a privilege bypass vulnerability where ordinary users can gain access to the user database. Exposed information includes md5 hashes of passwords, username, email, and phone number. The vulnerability has been fixed in v1.18.8. Users are advised to upgrade. There are no known workarounds for the vulnerability.

A recent campaign shows that the politically motivated threat actor has more tricks up its sleeve than previously known, targeting an old RCE flaw and wiping logs to cover their tracks.

BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, ...

Cross Site Scripting vulnerability in TinyMCE v.4.9.6 and before and v.5.0.0 thru v.5.1.4 allows an attacker to execute arbitrary code via the editor function.

Cross Site Scripting vulnerability in jQuery v.2.2.0 thru v.3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.

By Deeba Ahmed Cyble Research and Intelligence Lab's cybersecurity researchers have disclosed how threat actors exploit gamers by delivering malware-loaded installers of popular games. This is a post from HackRead.com Read the original post: Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer

Tenda AC6 AC1200 Smart Dual-Band WiFi Router 15.03.06.50_multi was discovered to contain a cross-site scripting (XSS) vulnerability via the deviceId parameter in the Parental Control module.

TALOS-2023-1724 (CVE-2023-1531) occurs if the user opens a specially crafted web page in Chrome.

Phpgurukul Student Study Center Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in the "Admin Name" field on Admin Profile page.