2025-11 Java Security Weekly News - Jenkins, GitHub, Spring
2025 » Published on March 28, 2025
 | Jenkins Security Advisories |
 | Github Security Advisories |
| [GHSA-gfp2-6qhm-7x43] The WikiManager REST API allows any user to create wikis org.xwiki.platform:xwiki-platform-wiki-rest-default - impacts versions: >= 5.4-rc-1, < 15.10.15 fixed in: 15.10.15 org.xwiki.platform:xwiki-platform-wiki-rest-default - impacts versions: >= 16.0.0-rc-1, < 16.4.6 fixed in: 16.4.6 org.xwiki.platform:xwiki-platform-wiki-rest-default - impacts versions: >= 16.5.0-rc-1, < 16.10.0 fixed in: 16.10.0 [GHSA-22q5-9phm-744v] XWiki allows unregistered users to access private pages information through REST endpoint org.xwiki.platform:xwiki-platform-rest-server - impacts versions: >= 1.9M1, < 15.10.14 fixed in: 15.10.14 org.xwiki.platform:xwiki-platform-rest-server - impacts versions: >= 16.0.0-rc-1, < 16.4.6 fixed in: 16.4.6 org.xwiki.platform:xwiki-platform-rest-server - impacts versions: >= 16.5.0-rc-1, < 16.10.0-rc-1 fixed in: 16.10.0-rc-1 [GHSA-gq32-758c-3wm3] XWiki uses the wrong wiki reference in AuthorizationManager org.xwiki.platform:xwiki-platform-security-authorization-api - impacts versions: >= 6.1-rc-1, < 15.10.14 fixed in: 15.10.14 org.xwiki.platform:xwiki-platform-security-authorization-api - impacts versions: >= 16.0.0-rc-1, < 16.4.6 fixed in: 16.4.6 org.xwiki.platform:xwiki-platform-security-authorization-api - impacts versions: >= 16.5.0-rc-1, < 16.10.0-rc-1 fixed in: 16.10.0-rc-1 |
 | Spring Security Advisories |
 | Java CVEs |
| N/A | CVE-2025-27553 Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. Published Sunday, March 23, 2025 |
| N/A | CVE-2025-30474 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue. Published Sunday, March 23, 2025 |
| N/A | CVE-2025-30600 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thiagogsrwp WP Hotjar allows Stored XSS. This issue affects WP Hotjar: from n/a through 0.0.3. Published Monday, March 24, 2025 |
| 4.3 | CVE-2025-2709 A vulnerability has been found in Yonyou UFIDA ERP-NC 5.0 and classified as problematic. This vulnerability affects unknown code of the file /login.jsp. The manipulation of the argument key/redirect leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, March 24, 2025 |
| 4.3 | CVE-2025-2711 A vulnerability was found in Yonyou UFIDA ERP-NC 5.0. It has been classified as problematic. Affected is an unknown function of the file /help/systop.jsp. The manipulation of the argument langcode leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, March 24, 2025 |
| 4.3 | CVE-2025-2712 A vulnerability was found in Yonyou UFIDA ERP-NC 5.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /help/top.jsp. The manipulation of the argument langcode leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, March 24, 2025 |
| N/A | CVE-2024-44903 SQL Injection can occur in the SirsiDynix Horizon Information Portal (IPAC20) through 3.25_9382; however, a patch is available from the vendor. This is in ipac.jsp in a SELECT WHERE statement, in a part of the uri= variable in the second part of the full= inner variable. Published Tuesday, March 25, 2025 |
| 4.3 | CVE-2025-2835 A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Published Thursday, March 27, 2025 |
| N/A | CVE-2025-31079 Cross-Site Request Forgery (CSRF) vulnerability in usermaven Usermaven allows Cross Site Request Forgery. This issue affects Usermaven: from n/a through 1.2.1. Published Friday, March 28, 2025 |