2025-28 Java Security Weekly News - Oracle, Red Hat, GitHub, Spring
2025 » Published on July 25, 2025
 | Oracle Security Alerts |
 | Red Hat Security Advisory |
 | Github Security Advisories |
| [GHSA-vhvx-8xgc-99wf] DSpace is vulnerable to Path Traversal attacks when importing packages using Simple Archive Format org.dspace:dspace-api - impacts versions: < 7.6.4 fixed in: 7.6.4 org.dspace:dspace-api - impacts versions: >= 8.0, < 8.2 fixed in: 8.2 org.dspace:dspace-api - impacts versions: >= 9.0, < 9.1 fixed in: 9.1 [GHSA-jjwr-5cfh-7xwh] DSpace is vulnerable to XML External Entity injection during archive imports org.dspace:dspace-api - impacts versions: < 7.6.4 fixed in: 7.6.4 org.dspace:dspace-api - impacts versions: >= 8.0, < 8.2 fixed in: 8.2 org.dspace:dspace-api - impacts versions: >= 9.0, < 9.1 fixed in: 9.1 [GHSA-32mf-57h2-64x9] XWiki Rendering is vulnerable to RCE attacks when processing nested macros org.xwiki.rendering:xwiki-rendering-transformation-macro - impacts versions: >= 4.2-milestone-1, < 13.10.11 fixed in: 13.10.11 org.xwiki.rendering:xwiki-rendering-transformation-macro - impacts versions: >= 14.0, < 14.4.7 fixed in: 14.4.7 org.xwiki.rendering:xwiki-rendering-transformation-macro - impacts versions: >= 14.5, < 14.10 fixed in: 14.10 [GHSA-w3wh-g4m9-783p] XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax org.xwiki.rendering:xwiki-rendering-syntax-xhtml - impacts versions: >= 5.4.5, < 14.10 fixed in: 14.10 |
 | Spring Security Advisories |
 | Java CVEs |
| 6.3 | CVE-2025-7788 A vulnerability has been found in Xuxueli xxl-job up to 3.1.1 and classified as critical. Affected by this vulnerability is the function commandJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Published Friday, July 18, 2025 |
| 6.3 | CVE-2025-7787 A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Published Friday, July 18, 2025 |
| 3.7 | CVE-2025-7789 A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Published Friday, July 18, 2025 |
| 7.3 | CVE-2025-7801 A vulnerability has been found in BossSoft CRM 6.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /crm/module/HNDCBas_customPrmSearchDtl.jsp. The manipulation of the argument cstid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Published Friday, July 18, 2025 |
| 3.5 | CVE-2025-7863 A vulnerability was found in thinkgem JeeSite up to 5.12.0 and classified as problematic. Affected by this issue is the function redirectUrl of the file src/main/java/com/jeesite/common/web/http/ServletUtils.java. The manipulation of the argument url leads to open redirect. The attack may be launched remotely. The name of the patch is 3d06b8d009d0267f0255acc87ea19d29d07cedc3. It is recommended to apply a patch to fix this issue. Published Sunday, July 20, 2025 |
| 6.3 | CVE-2025-7864 A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been classified as critical. This affects the function Upload of the file src/main/java/com/jeesite/modules/file/web/FileUploadController.java. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue. Published Sunday, July 20, 2025 |
| 3.5 | CVE-2025-7865 A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been declared as problematic. This vulnerability affects the function xssFilter of the file src/main/java/com/jeesite/common/codec/EncodeUtils.java of the component XSS Filter. The manipulation of the argument text leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue. Published Sunday, July 20, 2025 |
| 6.3 | CVE-2025-7873 A vulnerability was found in Metasoft ???? MetaCRM up to 6.4.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file mcc_login.jsp. The manipulation of the argument workerid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, July 20, 2025 |
| 5.3 | CVE-2025-7874 A vulnerability was found in Metasoft ???? MetaCRM up to 6.4.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /env.jsp. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, July 20, 2025 |
| 7.3 | CVE-2025-7875 A vulnerability classified as critical has been found in Metasoft ???? MetaCRM up to 6.4.2. This affects an unknown part of the file /debug.jsp. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, July 20, 2025 |
| 6.3 | CVE-2025-7876 A vulnerability classified as critical was found in Metasoft ???? MetaCRM up to 6.4.2. This vulnerability affects the function AnalyzeParam of the file download.jsp. The manipulation of the argument p leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, July 20, 2025 |
| 6.3 | CVE-2025-7877 A vulnerability, which was classified as critical, has been found in Metasoft ???? MetaCRM up to 6.4.2. This issue affects some unknown processing of the file sendfile.jsp. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, July 20, 2025 |
| 6.3 | CVE-2025-7879 A vulnerability has been found in Metasoft ???? MetaCRM up to 6.4.2 and classified as critical. Affected by this vulnerability is an unknown functionality of the file mobileupload.jsp. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, July 20, 2025 |
| 6.3 | CVE-2025-7878 A vulnerability, which was classified as critical, was found in Metasoft ???? MetaCRM up to 6.4.2. Affected is an unknown function of the file /common/jsp/upload2.jsp. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, July 20, 2025 |
| 6.3 | CVE-2025-7880 A vulnerability was found in Metasoft ???? MetaCRM up to 6.4.2 and classified as critical. Affected by this issue is some unknown functionality of the file /business/common/sms/sendsms.jsp. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, July 20, 2025 |
| 6.3 | CVE-2025-7888 A vulnerability was found in TDuckCloud tduck-platform 5.1 and classified as critical. This issue affects the function UserFormDataMapper of the file src/main/java/com/tduck/cloud/form/mapper/UserFormDataMapper.java. The manipulation of the argument formKey leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, July 20, 2025 |
| 3.5 | CVE-2025-7902 A vulnerability classified as problematic has been found in yangzongzhuan RuoYi up to 4.8.1. Affected is the function addSave of the file com/ruoyi/web/controller/system/SysNoticeController.java. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Published Sunday, July 20, 2025 |
| 6.3 | CVE-2025-7906 A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1 and classified as critical. This issue affects the function uploadFile of the file ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Published Sunday, July 20, 2025 |
| N/A | CVE-2025-46119 An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where an authenticated request to the management endpoint `/admin/_cmdstat.jsp` discloses the administrator password in a trivially reversible obfuscated form. The same obfuscation method persists in configuration prior to 200.18.7.1.302, allowing anyone who obtains the system configuration to recover the plaintext credentials. Published Monday, July 21, 2025 |
| N/A | CVE-2025-46121 An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller. Published Monday, July 21, 2025 |
| N/A | CVE-2025-46122 An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC address and execute arbitrary commands as root. Published Monday, July 21, 2025 |
| N/A | CVE-2025-46123 An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest password to memory with snprintf using the attacker-supplied value as the format string; a crafted password therefore triggers uncontrolled format-string processing and enables remote code execution on the controller. Published Monday, July 21, 2025 |
| 6.3 | CVE-2025-7934 A vulnerability, which was classified as critical, has been found in fuyang_lipengjun platform up to ca9aceff6902feb7b0b6bf510842aea88430796a. This issue affects the function queryPage of the file platform-schedule/src/main/java/com/platform/controller/ScheduleJobController.java. The manipulation of the argument beanName leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Published Monday, July 21, 2025 |
| 6.3 | CVE-2025-7935 A vulnerability, which was classified as critical, was found in fuyang_lipengjun platform up to ca9aceff6902feb7b0b6bf510842aea88430796a. Affected is the function SysLogController of the file platform-admin/src/main/java/com/platform/controller/SysLogController.java. The manipulation of the argument key leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. Published Monday, July 21, 2025 |
| 6.3 | CVE-2025-7936 A vulnerability has been found in fuyang_lipengjun platform up to ca9aceff6902feb7b0b6bf510842aea88430796a and classified as critical. Affected by this vulnerability is the function queryPage of the file com/platform/controller/ScheduleJobLogController.java. The manipulation of the argument beanName/methodName leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. Published Monday, July 21, 2025 |
| 4.3 | CVE-2025-7938 A vulnerability was found in jerryshensjf JPACookieShop ????JPA? 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Published Monday, July 21, 2025 |
| 6.3 | CVE-2025-7939 A vulnerability was found in jerryshensjf JPACookieShop ????JPA? 1.0. It has been classified as critical. Affected is the function addGoods of the file GoodsController.java. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. Published Monday, July 21, 2025 |