Security
Headlines
HeadlinesLatestCVEs

Tag

#java

GHSA-rr2m-gffv-mgrj: Deserialization of Untrusted Data in Apache Hadoop YARN

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

ghsa
Open in Source
#apache#nodejs#java#maven
CVE-2022-37318: Archer Update for Multiple Vulnerabilities

Archer Platform 6.9 SP2 P2 before 6.11 P3 (6.11.0.3) contain a reflected XSS vulnerability. A remote unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious JavaScript code to the vulnerable web application. This code is then reflected to the victim and gets executed by the web browser in the context of the vulnerable web application. 6.10 P4 (6.10.0.4) and 6.11 P2 HF4 (6.11.0.2.4) are also fixed releases.

CVE-2022-37161: claroline-CVEs/svg_xss.md at main · matthieu-hackwitharts/claroline-CVEs

Claroline 13.5.7 and prior is vulnerable to Cross Site Scripting (XSS) via SVG file upload.

CVE-2022-37160: claroline-CVEs/csrf.md at main · matthieu-hackwitharts/claroline-CVEs

Claroline 13.5.7 and prior allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. By combining the XSS vulnerability present in several upload forms and a javascript request to the present API, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user.

CVE-2022-37162: claroline-CVEs/calendar_xss.md at main · matthieu-hackwitharts/claroline-CVEs

Claroline 13.5.7 and prior is vulnerable to Cross Site Scripting (XSS). An attacker can obtain javascript code execution by adding arbitrary javascript code in the 'Location' field of a calendar event.

CVE-2022-37078: vuln/TOTOLINK/A7000R/6 at main · Darry-lang1/vuln

TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the lang parameter at /setting/setLanguageCfg.

CVE-2022-37079: vuln/TOTOLINK/A7000R/5 at main · Darry-lang1/vuln

TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the hostName parameter in the function setOpModeCfg.

CVE-2022-37080: vuln/TOTOLINK/A7000R/8 at main · Darry-lang1/vuln

TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the command parameter at setting/setTracerouteCfg.

CVE-2022-37081: vuln/TOTOLINK/A7000R/2 at main · Darry-lang1/vuln

TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the command parameter at setting/setTracerouteCfg.

CVE-2022-37082: vuln/TOTOLINK/A7000R/3 at main · Darry-lang1/vuln

TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the host_time parameter at the function NTPSyncWithHost.