2025-35 Java Security Weekly News - Jenkins, GitHub
2025 » Published on September 12, 2025
 | Jenkins Security Advisories |
 | Github Security Advisories |
| [GHSA-rrw2-px9j-qffj] FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side co.fs2:fs2-io_2.12 - impacts versions: < 3.12.2 fixed in: 3.12.2 co.fs2:fs2-io_2.12 - impacts versions: >= 3.13.0-M1, < 3.13.0-M7 fixed in: 3.13.0-M7 co.fs2:fs2-io_2.13 - impacts versions: < 3.12.2 fixed in: 3.12.2 co.fs2:fs2-io_2.13 - impacts versions: >= 3.13.0-M1, < 3.13.0-M7 fixed in: 3.13.0-M7 co.fs2:fs2-io_3 - impacts versions: < 3.12.2 fixed in: 3.12.2 co.fs2:fs2-io_3 - impacts versions: >= 3.13.0-M1, < 3.13.0-M7 fixed in: 3.13.0-M7 co.fs2:fs2-io_0.26 - impacts versions: < 3.12.2 fixed in: co.fs2:fs2-io_0.27 - impacts versions: < 3.12.2 fixed in: co.fs2:fs2-io_2.11 - impacts versions: < 3.12.2 fixed in: co.fs2:fs2-io_2.12.0-M4 - impacts versions: < 3.12.2 fixed in: co.fs2:fs2-io_2.12.0-RC1 - impacts versions: < 3.12.2 fixed in: co.fs2:fs2-io_2.12.0-M5 - impacts versions: < 3.12.2 fixed in: co.fs2:fs2-io_2.12.0-RC2 - impacts versions: < 3.12.2 fixed in: co.fs2:fs2-io_2.13.0-M5 - impacts versions: < 3.12.2 fixed in: [GHSA-fghv-69vj-qj49] Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions io.netty:netty-codec-http - impacts versions: < 4.1.125.Final fixed in: 4.1.125.Final io.netty:netty-codec-http - impacts versions: >= 4.2.0.Alpha1, < 4.2.5.Final fixed in: 4.2.5.Final [GHSA-c7v7-rqfm-f44j] Vaadin Platform possible file bypass via upload validation on the server-side com.vaadin:vaadin - impacts versions: >= 14.0.0, <= 14.13.0 fixed in: 14.13.1 com.vaadin:vaadin - impacts versions: >= 23.0.0, <= 23.6.1 fixed in: 23.6.2 com.vaadin:vaadin - impacts versions: >= 24.0.0, <= 24.7.6 fixed in: 24.7.7 [GHSA-94g8-xv23-7656] Vaadin Flow Components possible file bypass via upload validation on the server-side com.vaadin:vaadin-upload-flow - impacts versions: >= 2.0.0, <= 14.13.0 fixed in: 14.13.1 com.vaadin:vaadin-upload-flow - impacts versions: >= 23.0.0, <= 23.6.1 fixed in: 23.6.2 com.vaadin:vaadin-upload-flow - impacts versions: >= 24.0.0, <= 24.7.6 fixed in: 24.7.7 [GHSA-9gfh-4fwj-w3rj] Vaadin Framework possible file bypass via upload validation on the server-side com.vaadin:vaadin-server - impacts versions: >= 7.0.0, <= 7.7.47 fixed in: 7.7.48 com.vaadin:vaadin-server - impacts versions: >= 8.0.0, <= 8.28.1 fixed in: 8.28.2 [GHSA-3p8m-j85q-pgmj] Netty's decoders vulnerable to DoS via zip bomb style attack io.netty:netty-codec-compression - impacts versions: >= 4.2.0.Alpha1, < 4.2.5.Final fixed in: 4.2.5.Final io.netty:netty-codec - impacts versions: < 4.1.125.Final fixed in: 4.1.125.Final [GHSA-m63c-3rmg-r2cf] XWiki configuration files can be accessed through jsx and sx endpoints org.xwiki.platform:xwiki-platform-skin-skinx - impacts versions: >= 4.2-milestone-2, < 16.10.7 fixed in: 16.10.7 [GHSA-qww7-89xh-x7m7] XWiki configuration files can be accessed through the webjars API org.xwiki.platform:xwiki-platform-webjars-api - impacts versions: >= 6.1-milestone-2, < 16.10.7 fixed in: 16.10.7 |
 | Java CVEs |
| N/A | CVE-2025-43782 Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API Published Thursday, September 11, 2025 |
| N/A | CVE-2025-43790 Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object entries/definitions to an object in a different virtual instance. Published Thursday, September 11, 2025 |
| 5.5 | CVE-2025-8681 Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Requires a high privileged user with a developer role. Published Wednesday, September 10, 2025 |
| N/A | CVE-2025-8311 dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the sites parameter, which was directly concatenated into a SQL query without proper sanitization. Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions. The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payloads. The vulnerability is fixed in the following versions of dotCMS stack: 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS Published Thursday, September 4, 2025 |
| 8.8 | |
| N/A | CVE-2025-10193 DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed. Published Thursday, September 11, 2025 |
| N/A | CVE-2025-43789 JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get executed. Published Friday, September 12, 2025 |
| N/A | CVE-2025-43788 The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. Published Friday, September 12, 2025 |
| 7.5 | CVE-2025-9784 A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS). Published Tuesday, September 2, 2025 |
| 6.3 | CVE-2025-10278 A flaw has been found in YunaiV ruoyi-vue-pro up to 2025.09. Impacted is an unknown function of the file /crm/contact/transfer. This manipulation of the argument ids/newOwnerUserId causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Friday, September 12, 2025 |
| 10.0 | CVE-2025-55728 XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue. Published Tuesday, September 9, 2025 |
| 6.3 | CVE-2025-10291 A weakness has been identified in linlinjava litemall up to 1.8.0. This affects the function WxAftersaleController of the file /wx/aftersale/cancel. Executing manipulation of the argument ID can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. Published Friday, September 12, 2025 |
| 2.4 | CVE-2025-10234 A vulnerability was detected in Scada-LTS up to 2.7.8.1. This vulnerability affects unknown code of the file /data_point_edit.shtm of the component Data Point Edit Module. The manipulation of the argument Text Renderer properties results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Wednesday, September 10, 2025 |
| 6.3 | CVE-2025-10277 A vulnerability was detected in YunaiV yudao-cloud up to 2025.09. This issue affects some unknown processing of the file /crm/receivable/submit. The manipulation of the argument ID results in improper authorization. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Friday, September 12, 2025 |
| 6.3 | CVE-2025-10247 A security vulnerability has been detected in JEPaaS 7.2.8. This vulnerability affects the function doFilterInternal of the component Filter Handler. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Thursday, September 11, 2025 |
| 3.1 | CVE-2025-10252 A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. This affects an unknown part of the component Java RMI Registry Handler. This manipulation causes deserialization. The attack can only be done within the local network. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way. Published Thursday, September 11, 2025 |
| 6.3 | CVE-2025-10318 A vulnerability was identified in JeecgBoot up to 3.8.2. Affected by this vulnerability is an unknown functionality of the file /api/system/sendWebSocketMsg of the component WebSocket Message Handler. The manipulation of the argument userIds leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Friday, September 12, 2025 |