Security
Headlines
HeadlinesLatestCVEs

Tag

#java

CVE-2022-29666: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #24 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/zhuan.

CVE
Open in Source
#sql#vulnerability#web#windows#apple#js#java#php#chrome#webkit
If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake

A recent phishing scam neatly illustrates some of the tactics scammers use to avoid human intuition and automatic detection. The post If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake appeared first on Malwarebytes Labs.

Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched

The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information. "We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project said in an

GHSA-fm53-mpmp-7qw2: Possible cross-site scripting attack via unsanitized SVG files in FoF Upload

### Impact If FoF Upload is configured to allow the uploading of SVG files (`image/svg+xml`), navigating directly to an SVG file URI could execute arbitrary Javascript code decided by an attacker. This Javascript code could include the execution of HTTP web requests to Flarum, or any other web service. This could allow data to be leaked by an authenticated Flarum user, or, possibly, for data to be modified maliciously. ### Patches This has been patched with v1.2.3, which now sanitizes uploaded SVG files. ### Workarounds Upgrade to `1.2.3` (requires Flarum 1.2 or later), or remove the ability for users to upload SVG files through FoF Upload. ### References Thank you to Safwat Refaat for the responsible disclosure of this vulnerability.

GHSA-qfr3-323w-qv27: Possible information disclosure inside TreeGrid component with default data provider

### Description The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.

GHSA-67fj-6w6m-w5j8: Reversible One-Way Hash in io.github.javaezlib:JavaEZ

### Impact This weakness allows the force decryption of locked text by hackers. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. Upgrading to 1.7 is advised. ### Patches The vulnerability has been patched in release 1.7. ### Workarounds Currently there is no way to fix the issue without upgrading. ### References [CWE-327](https://cwe.mitre.org/data/definitions/327.html) [CWE-328](https://cwe.mitre.org/data/definitions/328.html) ### For more information If you have any questions or comments about this advisory: * Open an issue in [our issue tracker](http://github.com/JavaEZLib/JavaEZ/issues) * Email us at [[email protected]](mailto:[email protected])

RHSA-2022:2272: Red Hat Security Advisory: OpenShift Container Platform 4.8.41 bug fix and security update

Red Hat OpenShift Container Platform release 4.8.41 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1677: openshift/router: route hijacking attack via crafted HAProxy configuration file

CVE-2022-29253: XWIKI-19349: Bad handling of classloader templates path resolution · xwiki/xwiki-platform@4917c8f

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.

Forescout Launches Forescout Frontline to Help Organizations Tackle Ransomware and Real Time Threats

New threat hunting and risk identification service provides organizations with an enterprise-wide baseline of their threat landscape and risk exposure.

Red Hat Security Advisory 2022-4729-01

Red Hat Security Advisory 2022-4729-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.1 ESR.