2025-16 Java Security Weekly News - GitHub, Spring
2025 » Published on May 2, 2025
 | Github Security Advisories |
| [GHSA-f69v-xrj8-rhxf] org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API org.xwiki.platform:xwiki-platform-rest-server - impacts versions: >= 1.8, < 15.10.16 fixed in: 15.10.16 org.xwiki.platform:xwiki-platform-rest-server - impacts versions: >= 16.0.0-rc-1, < 16.4.6 fixed in: 16.4.6 org.xwiki.platform:xwiki-platform-rest-server - impacts versions: >= 16.5.0-rc-1, < 16.10.1 fixed in: 16.10.1 [GHSA-g9jj-75mx-wjcx] org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API org.xwiki.platform:xwiki-platform-oldcore - impacts versions: >= 1.6-milestone-1, < 15.10.16 fixed in: 15.10.16 org.xwiki.platform:xwiki-platform-oldcore - impacts versions: >= 16.0.0-rc-1, < 16.4.6 fixed in: 16.4.6 org.xwiki.platform:xwiki-platform-oldcore - impacts versions: >= 16.5.0-rc-1, < 16.10.1 fixed in: 16.10.1 [GHSA-hg25-w3vg-7279] XSS in the /download Endpoint of the JPA Web API com.haulmont.addon.jpawebapi:jpawebapi-jpawebapi - impacts versions: < 1.1.1 fixed in: 1.1.1 [GHSA-88h5-34xw-2q56] XSS in the /files Endpoint of the Generic REST API com.haulmont.addon.restapi:restapi-rest-api - impacts versions: < 7.2.7 fixed in: 7.2.7 [GHSA-w3mp-6vrj-875g] Cuba has a DoS in the File Storage com.haulmont.cuba:cuba-core - impacts versions: < 7.2.23 fixed in: 7.2.23 [GHSA-f3gv-cwwh-758m] io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage io.jmix.localfs:jmix-localfs - impacts versions: >= 1.0.0, < 1.6.2 fixed in: 1.6.2 io.jmix.localfs:jmix-localfs - impacts versions: >= 2.0.0, < 2.4.0 fixed in: 2.4.0 [GHSA-x27v-f838-jh93] io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API io.jmix.rest:jmix-rest - impacts versions: >= 1.0.0, < 1.6.2 fixed in: 1.6.2 io.jmix.rest:jmix-rest - impacts versions: >= 2.0.0, < 2.4.0 fixed in: 2.4.0 [GHSA-jx4g-3xqm-62vh] io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage io.jmix.localfs:jmix-localfs - impacts versions: >= 1.0.0, < 1.6.2 fixed in: 1.6.2 io.jmix.localfs:jmix-localfs - impacts versions: >= 2.0.0, < 2.4.0 fixed in: 2.4.0 |
 | Spring Security Advisories |
 | Java CVEs |
| 4.3 | CVE-2025-32783 XWiki Platform is a generic wiki platform. A vulnerability in versions from 5.0 to 16.7.1 affects users with Message Stream enabled and a wiki configured as closed from selecting "Prevent unregistered users to view pages" in the Administrations Rights. The vulnerability is that any message sent in a subwiki to "everyone" is actually sent to the farm: any visitor of the main wiki will be able to see that message through the Dashboard, even if the subwiki is configured to be private. This issue will not be patched as Message Stream has been deprecated in XWiki 16.8.0RC1 and is not maintained anymore. A workaround for this issue involves keeping Message Stream disabled by default. It's advised to keep it disabled from Administration > Social > Message Stream. Published Wednesday, April 16, 2025 |
| 9.8 | CVE-2025-32969 XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki. Published Wednesday, April 23, 2025 |
| 8.8 | CVE-2025-32968 XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki. The protection added to this REST API is the same as the one used to validate complete select queries, making it more consistent. However, while the script API always had this protection for complete queries, it's important to note that it's a very strict protection and some valid, but complex, queries might suddenly require the author to have programming right. Published Wednesday, April 23, 2025 |
| N/A | CVE-2025-32985 NETSCOUT nGeniusONE before 6.4.0 b2350 has Hardcoded Credentials that can be obtained from JAR files. Published Friday, April 25, 2025 |
| 5.0 | CVE-2025-3984 A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, April 27, 2025 |
| 2.7 | CVE-2025-3985 A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, April 27, 2025 |
| 4.3 | CVE-2025-3986 A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, April 27, 2025 |
| 3.5 | CVE-2025-4000 A vulnerability, which was classified as problematic, was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. Affected is an unknown function of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\ssoproxy\jsp\ssoproxy.jsp. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Published Monday, April 28, 2025 |
| 3.5 | CVE-2025-3999 A vulnerability, which was classified as problematic, has been found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. This issue affects some unknown processing of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\common\js\addDate\date.jsp of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Published Monday, April 28, 2025 |
| 5.3 | CVE-2025-4015 A vulnerability was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. It has been rated as critical. Affected by this issue is the function list of the file novel-system/src/main/java/com/java2nb/system/controller/SessionController.java. The manipulation leads to missing authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, April 28, 2025 |
| 5.4 | CVE-2025-4016 A vulnerability classified as critical has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This affects the function deleteIndex of the file novel-admin/src/main/java/com/java2nb/common/controller/LogController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, April 28, 2025 |
| 4.3 | CVE-2025-4017 A vulnerability classified as problematic was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This vulnerability affects the function list of the file nnovel-admin/src/main/java/com/java2nb/common/controller/LogController.java. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, April 28, 2025 |
| 5.3 | CVE-2025-4018 A vulnerability, which was classified as critical, has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This issue affects the function addCrawlSource of the file novel-crawl/src/main/java/com/java2nb/novel/controller/CrawlController.java. The manipulation leads to missing authentication. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, April 28, 2025 |
| 7.3 | CVE-2025-4019 A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. Affected is the function genCode of the file novel-admin/src/main/java/com/java2nb/common/controller/GeneratorController.java. The manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, April 28, 2025 |
| N/A | CVE-2023-42404 OneVision Workspace before WS23.1 SR1 (build w31.040) allows arbitrary Java EL execution. Published Monday, April 28, 2025 |
| 6.3 | CVE-2025-4036 A vulnerability was found in 201206030 Novel 3.5.0 and classified as critical. This issue affects the function updateBookChapter of the file src/main/java/io/github/xxyopen/novel/controller/author/AuthorController.java of the component Chapter Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, April 28, 2025 |
| N/A | CVE-2025-31650 Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue. Published Monday, April 28, 2025 |
| N/A | CVE-2025-31651 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. Published Monday, April 28, 2025 |
| 6.3 | CVE-2025-4175 A vulnerability, which was classified as critical, was found in AlanBinu007 Spring-Boot-Advanced-Projects up to 3.1.3. This affects the function uploadUserProfileImage of the file /Spring-Boot-Advanced-Projects-main/Project-4.SpringBoot-AWS-S3/backend/src/main/java/com/urunov/profile/UserProfileController.jav of the component Upload Profile API Endpoint. The manipulation of the argument File leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Thursday, May 1, 2025 |
| 5.4 | CVE-2025-4178 A vulnerability was found in xiaowei1118 java_server up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical. This issue affects some unknown processing of the file /src/main/java/com/changyu/foryou/controller/FoodController.java of the component File Upload API. The manipulation leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. Published Thursday, May 1, 2025 |