#java

Facebook is reportedly switching out click identifiers for encryption, making it harder (if not impossible) to strip tracking from the URL. The post Facebook gets round tracking privacy measure by encrypting links appeared first on Malwarebytes Labs.

The debug interface of Goldshell ASIC Miners v2.2.1 and below was discovered to be exposed publicly on the web interface, allowing attackers to access passwords and other sensitive information in plaintext.

DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject arbitrary code via a crafted payload.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of

JavaMelody is a monitoring tool for JavaEE applications. Versions prior to 1.61.0 are vulnerable to a cross-site scripting (XSS) attack. This issue was patched in version 1.61.0, and users are recommended to upgrade to the latest version. There are no known workarounds.

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-29368: kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check * CVE-2021-4197: kernel: cgroup: Use open-time creds and namespace for migration perm checks * CVE-2021-4203: kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses * CVE-202...

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-22959: llhttp: HTTP Request Smuggling due to spaces in headers * CVE-2021-22960: llhttp: HTTP Request Smuggling when parsing the body of chunked requests * CVE-2021-37701: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-37712: nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite * CVE-2021-44531: nodejs: Improper...

An update is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32250: kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root