#java

The friendly image sent by your colleague on a teleconference may be hiding a malicious secret

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2021-33623: nodejs-trim-newlines: ReDoS in .end() method * CVE-2021-35515: apache-commons-compress: infinite loop when reading a specially crafted 7Z archive * CVE-2021-35516: apache-commons-compress: excessive memory alloc...

Cross Site Scripting (XSS) vulnerability in uBlock Origin extension before 1.41.1 allows remote attackers to run arbitrary code via a spoofed 'MessageSender.url' to the browser renderer process.

IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 230516.

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered two use-after-free vulnerabilities in Adobe Acrobat Reader DC that could allow an attacker to eventually gain the ability to execute arbitrary code.   Acrobat is... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component r_jwe_aesgcm_key_unwrap. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted JWE token.

The Transition Scheduler add-on 6.5.0 for Atlassian Jira is prone to stored XSS via the project name to the creation function.

An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1729: kernel: race condition in perf_event_open leads to privilege escalation

An issue was discovered in Oxygen XML WebHelp before 22.1 build 2021082006 and 23.x before 23.1 build 2021090310. An XSS vulnerability in search terms proposals (in online documentation generated using Oxygen XML WebHelp) allows attackers to execute JavaScript by convincing a user to type specific text in the WebHelp output search field.

Python's most popular package manager is intent on securing the supply chain by requiring developers to enable two-factor authentication.