2025-29 Java Security Weekly News - Canonical, Red Hat, GitHub
2025 » Published on August 1, 2025
 | Ubuntu Security Notices |
 | Red Hat Security Advisory |
 | Github Security Advisories |
| [GHSA-j63h-hmgw-x4j7] Opencast still publishes global system account credentials org.opencastproject:opencast-common - impacts versions: < 17.6 fixed in: 17.6 org.opencastproject:opencast-ingest-service-impl - impacts versions: < 17.6 fixed in: 17.6 org.opencastproject:opencast-kernel - impacts versions: < 17.6 fixed in: 17.6 org.opencastproject:opencast-publication-service-oaipmh-remote - impacts versions: < 17.6 fixed in: 17.6 [GHSA-p9qm-p942-q3w5] XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API org.xwiki.platform:xwiki-platform-oldcore - impacts versions: >= 1.0, < 16.10.6 fixed in: 16.10.6 org.xwiki.platform:xwiki-platform-oldcore - impacts versions: >= 17.0.0-rc1, < 17.3.0-rc-1 fixed in: 17.3.0-rc-1 [GHSA-vr59-gm53-v7cq] XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter org.xwiki.platform:xwiki-platform-distribution-war - impacts versions: >= 9.4-rc-1, < 16.10.6 fixed in: 16.10.6 org.xwiki.platform:xwiki-platform-distribution-war - impacts versions: >= 17.0.0-rc-1, < 17.3.0-rc-1 fixed in: 17.3.0-rc-1 |
 | org.keycloak:keycloak-services |
| 5.4 | CVE-2025-7365 A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. Published Thursday, July 10, 2025 |
| 6.5 | CVE-2025-7784 A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. Published Friday, July 18, 2025 |
| | Additional Java CVEs |
| 6.3 | CVE-2025-8203 A vulnerability classified as critical has been found in Jingmen Zeyou Large File Upload Control up to 6.3. Affected is an unknown function of the file /index.jsp. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Saturday, July 26, 2025 |
| 6.1 | CVE-2025-8211 A vulnerability was found in Roothub up to 2.6. It has been declared as problematic. Affected by this vulnerability is the function Edit of the file src/main/java/cn/roothub/web/admin/SystemConfigAdminController.java. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Published Saturday, July 26, 2025 |
| 4.3 | CVE-2025-8221 A vulnerability classified as problematic was found in jerryshensjf JPACookieShop ????JPA? up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. Affected by this vulnerability is the function goodsSearch of the file GoodsCustController.java. The manipulation of the argument keyword leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. Published Sunday, July 27, 2025 |
| 3.5 | CVE-2025-8222 A vulnerability, which was classified as problematic, has been found in jerryshensjf JPACookieShop ????JPA? up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. Affected by this issue is some unknown functionality of the file GoodsController.java. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. Multiple endpoints are affected. Published Sunday, July 27, 2025 |
| 4.3 | CVE-2025-8223 A vulnerability, which was classified as problematic, was found in jerryshensjf JPACookieShop ????JPA? up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. This affects an unknown part of the file AdminTypeCustController.java. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Published Sunday, July 27, 2025 |
| N/A | CVE-2025-54656 ** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated). As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Published Wednesday, July 30, 2025 |
| 4.3 | CVE-2025-8343 A vulnerability was found in openviglet shio up to 0.3.8. It has been rated as critical. This issue affects the function shStaticFilePreUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument fileName leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Published Thursday, July 31, 2025 |
| 6.3 | CVE-2025-8344 A vulnerability classified as critical has been found in openviglet shio up to 0.3.8. Affected is the function shStaticFileUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument filename leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Published Thursday, July 31, 2025 |
| N/A | CVE-2025-8192 There exists a TOCTOU race condition in TvSettings AppRestrictionsFragment.java that lead to start of attacker supplied activity in Settings context, i.e. system-uid context, thus lead to launchAnyWhere. The core idea is to utilize the time window between the check of Intent and the use to Intent to change the target components state, thus bypass the original security sanitize function. Published Thursday, July 31, 2025 |
| N/A | CVE-2025-24853 A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later. Published Thursday, July 31, 2025 |
| N/A | CVE-2025-24854 A carefully crafted request using the Image plugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.3 or later. Published Thursday, July 31, 2025 |