Security
Headlines
HeadlinesLatestCVEs

Tag

#java

CVE-2022-39824: GitHub - FCncdn/Appsmith-Js-Injection-POC: Appsmith-Js-Injection-POC

Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak.

CVE
Open in Source
#vulnerability#dos#js#git#java#perl
TikTok Users Were Vulnerable to a Single-Click Attack

Microsoft disclosed the flaw in the Android app’s deep link verification process, which has since been fixed.

CVE-2022-36593: kkFileView arbitrary file deletion vulnerability · Issue #370 · kekingcn/kkFileView

kkFileView v4.0.0 was discovered to contain an arbitrary file deletion vulnerability via the fileName parameter at /controller/FileController.java.

CVE-2022-36594: selectByIds function sql injection · Issue #862 · abel533/Mapper

Mapper v4.0.0 to v4.2.0 was discovered to contain a SQL injection vulnerability via the ids parameter at the selectByIds function.

GHSA-gp7f-rwcx-9369: jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled

jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow cross-site scripting (XSS) attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. ### Impact Sites that accept input HTML from users and use jsoup to sanitize that HTML, may be vulnerable to cross-site scripting (XSS) attacks, if they have enabled `SafeList.preserveRelativeLinks` and do not set an appropriate Content Security Policy. ### Patches This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. ### Workarounds To remediate this issue without immediately u...

Threat Actor Phishing PyPI Users Identified

"JuiceLedger" has escalated a campaign to distribute its information stealer by now going after developers who published code on the widely used Python code repository.

CVE-2020-4301: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 176609.

CVE-2022-36373: MP3-jPlayer

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Simon Ward MP3 jPlayer plugin <= 2.7.3 at WordPress.

CVE-2022-36796: CallRail Phone Call Tracking

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in CallRail, Inc. CallRail Phone Call Tracking plugin <= 0.4.9 at WordPress.