EulerOS 2.0 SP8 : velocity (EulerOS-SA-2021-1990)

According to the version of the velocity package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as...

EulerOS 2.0 SP3 : velocity (EulerOS-SA-2021-1858)

According to the version of the velocity package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as...

Updated velocity packages fix security vulnerability

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache...

Updated htmlunit packages fix security vulnerability

It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code CVE-2020-5529...

Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory

Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This...

CVE-2020-13936

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache...

Iteris Apache Velocity 安全漏洞

Iteris Apache Velocity is a software application from the United States Iteris. It is used to create and maintain the open source software functionality associated with the Apache Velocity Engine. A security vulnerability exists in Apache Velocity Engine versions up to 2.2, which can be exploited...

Remote Code Execution

velocity-engine-core is vulnerable to remote code execution. The Uberspector fails to prevent access to java.lang.ClassLoader methods and allows an attacker that is able to modify Template contents to execute arbitrary Java code or run arbitrary system commands with the same privileges as the...

Apache Flink JAR Upload Java Code Execution

This module uses job functionality in Apache Flink dashboard web interface to upload and execute a JAR file, leading to remote execution of arbitrary Java code as the web server user. This module has been tested successfully on Apache Flink versions: 1.9.3 on Ubuntu 18.04.4; 1.11.2 on Ubuntu...

Apache Flink JAR Upload Java Code Execution Exploit

This Metasploit module uses job functionality in the Apache Flink dashboard web interface to upload and execute a JAR file, leading to remote execution of arbitrary Java code as the web server user. This module has been tested successfully on Apache Flink versions: 1.9.3 on Ubuntu 18.04.4; 1.11.2...

CVE-2020-12873

An issue was discovered in Alfresco Enterprise Content Management ECM before 6.2.1. A user with privileges to edit a FreeMarker template e.g., a webscript may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Alfresco...

Design/Logic Flaw

An issue was discovered in Alfresco Enterprise Content Management ECM before 6.2.1. A user with privileges to edit a FreeMarker template e.g., a webscript may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Alfresco...

PT-2021-9474 · Alfresco · Alfresco Enterprise Content Management

Name of the Vulnerable Software and Affected Versions: Alfresco Enterprise Content Management ECM versions prior to 6.2.1 Description: An issue was discovered that allows a user with privileges to edit a FreeMarker template to execute arbitrary Java code or run arbitrary system commands with the...

Information disclosure

In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system...

Exploit for Path Traversal in Apache Flink

CVE-2020-17518 Apache Flink RESTful API Arbitrary File Upload...

Apache Struts 2.x < 2.3.1.1 Multiple Vulnerabilities

The version of Apache Struts running on the remote host is prior to 2.3.1.1. It, therefore, affected by multiple vulnerabilities: - The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary command...

Security Bulletin: Vulnerability in Apache Commons affects Rational Developer for System z (CVE-2015-7450)

Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Developer for System z Vulnerability Details | Subscribe to My Notifications to be notified of important product support alerts like this. Follow this link for more information...

USN-4584-1 htmlunit vulnerability

It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code...

USN-4584-1: HtmlUnit vulnerability

It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code...

Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter

This episode is based on posts from my Telegram channel avleonovcom, published in the last 2 weeks. So, if you use Telegram, please subscribe. I update it frequently. Barapass update I recently released an update to my password manager barapass. BTW, it seems to be my only pet project at the MVP...