CVE-2020-18684

Floodlight through 1.2 has an integer overflow in checkFlow in StaticFlowEntryPusherResource.java via priority or port number...

CVE-2025-4260 zhangyanbo2007 youkefu TemplateController.java impsave deserialization

A vulnerability was found in zhangyanbo2007 youkefu up to 4.2.0 and classified as problematic. Affected by this issue is the function impsave of the file m\web\handler\admin\system\TemplateController.java. The manipulation of the argument dataFile leads to deserialization. The attack may be...

CVE-2025-0408

A vulnerability was found in liujianview gymxmjpa 1.0. It has been rated as critical. Affected by this issue is the function LoosDaoImpl of the file src/main/java/com/liujian/gymxmjpa/controller/LoosController.java. The manipulation of the argument loosName leads to sql injection. The attack may ...

Intelligent Freenow 安全漏洞

Intelligent Freenow is a cab booking software from Intelligent. A security vulnerability exists in Intelligent Freenow version 12.10.0, which stems from the parameter DEFAULTKEYSTOREPASSWORD in the file ch/qos/logback/core/net/ssl/SSL.java that can lead to the use of hard-coded passwords...

Graylog vulnerable to instantiation of arbitrary classes triggered by API request

Summary Arbitrary classes can be loaded and instantiated using a HTTP PUT request to the /api/system/clusterconfig/ endpoint. Details Graylog's cluster config system uses fully qualified class names as config keys. To validate the existence of the requested class before using them, Graylog loads...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Manager Enterprise Edition CVE-2015-7575

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 1.7 that is used by Content Manager Enterprise Edition. These issues were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”...

PT-2023-17721 · Google · Android

Name of the Vulnerable Software and Affected Versions: Android versions Android-11 through Android-13 Description: The issue is related to a possible way to get the device into a boot loop due to resource exhaustion in the pushDynamicShortcut function of ShortcutPackage.java. This could lead to...

CVE-2022-38935

An issue was discovered in NiterForum version 2.5.0-beta in /src/main/java/cn/niter/forum/api/SsoApi.java and /src/main/java/cn/niter/forum/controller/AdminController.java, allows attackers to gain escalated privileges...

KYUUBl school-register SQL注入漏洞

school-register is a school e-registration system by the individual developer of KYUUBl. KYUUBl school-register suffers from a SQL injection vulnerability that originates in an unknown section of the file src/DBManager.java and operates to cause SQL injection...

GHSA-J69F-FGH5-F7MC iText RUPS XML External Entity vulnerability

A vulnerability classified as problematic was found in iText RUPS. This vulnerability affects unknown code of the file src/main/java/com/itextpdf/rups/model/XfaFile.java. The manipulation leads to xml external entity reference. The name of the patch is ac5590925874ef810018a6b60fec216eee54fb32. It...

Arbitrary File Access

org.xwiki.commons:xwiki-commons-velocity is vulnerable to arbitrary file access. A privileged attacker who has access to an file returning API, is able to perform read or write operations on the filesystem because it is not properly sandboxed against using the Java File API...

Code injection

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem...

CVE-2022-24897

CVE-2022-24897 affects XWiki Commons/Velocity integration. The Velocity scripting feature allowed scripts to access the Java File API, enabling read/write operations on the filesystem when scripts ran with Script rights. Vulnerable versions include 2.3 prior to 12.6.7, 12.10.3, and 13.0. The root...

CVE-2022-24897 Arbitrary filesystem write access from Velocity

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem...

Arbitrary filesystem write access from velocity.

Impact The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which...

GHSA-CVX5-M8VG-VXGC Arbitrary filesystem write access from velocity.

Impact The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which...

PT-2022-16966 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions 2.3 through 12.6.6 XWiki versions 12.7.0 through 12.10.2 XWiki versions 13.0.0 through 13.0.0 before 13.0RC1 Description: The velocity scripts are not properly sandboxed against using the Java File API to perform read or write...

in atmosphere/atmosphere

Description The atmosphere is vulnerable to SSRF Server Side Request Forgery via XML External Entity XXE. An attacker that is able to provide a crafted XML file as input to the WebDotXmlReader constructor in the "WebDotXmlReader.java" file may allow an attacker to execute XML External Entities XX...

PT-2022-8867 · Radare2 +1 · Radare2 +1

Name of the Vulnerable Software and Affected Versions: radare2 affected versions not specified Description: A flaw was found in radare2 due to a mismatched array length in core java.c, which could allow an attacker to cause a crash and perform a denial of service attack. Recommendations: At the...

CVE-2019-9624

Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted .cgi file via the /updown/upload.cgi URI...