2025-30 Java Security Weekly News - Canonical, Red Hat, GitHub
2025 » Published on August 8, 2025
 | Ubuntu Security Notices |
 | Red Hat Security Advisory |
 | Github Security Advisories |
| [GHSA-2rjv-cv85-xhgm] OpenSearch unauthorized data access on fields protected by field level security if field is a member of an object org.opensearch.plugin:opensearch-security - impacts versions: < 2.19.3.0 fixed in: 2.19.3.0 [GHSA-rrmm-wq7q-h4v5] OpenSearch unauthorized data access on fields protected by field masking for fields of type ip, geo_point, geo_shape, xy_point, xy_shape org.opensearch.plugin:opensearch-security - impacts versions: < 2.19.3.0 fixed in: 2.19.3.0 [GHSA-27gp-8389-hm4w] Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled) org.keycloak:keycloak-services - impacts versions: >= 26.2.0, < 26.2.6 fixed in: 26.2.6 [GHSA-xhpr-465j-7p9q] Keycloak phishing attack via email verification step in first login flow org.keycloak:keycloak-services - impacts versions: < 26.0.13 fixed in: 26.0.13 org.keycloak:keycloak-services - impacts versions: >= 26.2.0, < 26.2.6 fixed in: 26.2.6 |
 | Java CVEs |
| 6.3 | CVE-2025-8526 A vulnerability was found in Exrick xboot up to 3.3.4. It has been declared as critical. This vulnerability affects the function Upload of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Published Monday, August 4, 2025 |
| 6.3 | CVE-2025-8527 A vulnerability was found in Exrick xboot up to 3.3.4. It has been rated as critical. This issue affects some unknown processing of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java of the component Swagger. The manipulation of the argument loginUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Published Monday, August 4, 2025 |
| 6.3 | CVE-2025-8529 A vulnerability classified as critical was found in cloudfavorites favorites-web up to 1.3.0. Affected by this vulnerability is the function getCollectLogoUrl of the file app/src/main/java/com/favorites/web/CollectController.java. The manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Published Monday, August 4, 2025 |
| 3.7 | CVE-2025-8548 A vulnerability was found in atjiu pybbs up to 6.0.0 and classified as problematic. This issue affects the function sendEmailCode of the file src/main/java/co/yiiu/pybbs/controller/api/SettingsApiController.java of the component Registered Email Handler. The manipulation of the argument email leads to information exposure through error message. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 234197c4f8fc7ce24bdcff5430cd42492f28936a. It is recommended to apply a patch to fix this issue. Published Tuesday, August 5, 2025 |
| 3.7 | CVE-2025-8549 A vulnerability was found in atjiu pybbs up to 6.0.0. It has been classified as critical. Affected is the function update of the file src/main/java/co/yiiu/pybbs/controller/admin/UserAdminController.java. The manipulation leads to weak password requirements. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as d09cb19a8e7d7e5151282926ada54080244d499f. It is recommended to apply a patch to fix this issue. Published Tuesday, August 5, 2025 |
| 5.0 | CVE-2025-8708 A vulnerability was found in Antabot White-Jotter 0.22. It has been declared as critical. This vulnerability affects the function CookieRememberMeManager of the file ShiroConfiguration.java of the component com.gm.wj.config.ShiroConfiguration. The manipulation with the input EVANNIGHTLY_WAOU leads to deserialization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Published Friday, August 8, 2025 |