2025-44 Java Security Weekly News - Cisco, GitHub

2025 » Published on November 14, 2025

Cisco Unified Contact Center Express Remote Code Execution Vulnerabilities

[GHSA-j2pc-v64r-mv4f] Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH

io.github.ascopes:protobuf-maven-plugin - impacts versions: >= 4.0.0, <= 4.0.1 fixed in: 4.0.2

io.github.ascopes:protobuf-maven-plugin - impacts versions: < 3.10.2 fixed in: 3.10.2

Java CVEs

8.0	CVE-2025-12967 An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. We recommend customers upgrade to the following versions: AWS JDBC Wrapper to v2.6.5, AWS Go Wrapper to 2025-10-17, AWS NodeJS Wrapper to v2.0.1, AWS Python Wrapper to v1.4.0 and AWS PGSQL ODBC driver to v1.0.1 Published Monday, November 10, 2025
N/A	CVE-2025-12405 An improper privilege management vulnerability was found in Looker Studio. It impacted all JDBC-based connectors. A Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report. This vulnerability was patched on 21 July 2025, and no customer action is needed. Published Monday, November 10, 2025
3.1	CVE-2025-64686 In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context Published Monday, November 10, 2025
5.4	CVE-2025-42889 SAP Starter Solution allows an authenticated attacker to execute crafted database queries, thereby exposing the back-end database. As a result, this vulnerability has a low impact on the application's confidentiality and integrity but no impact on its availability. Published Tuesday, November 11, 2025
7.5	CVE-2025-42940 SAP CommonCryptoLib does not perform necessary boundary checks during pre-authentication parsing of manipulated ASN.1 data over the network. This may result in memory corruption followed by an application crash, hence leading to a high impact on availability. There is no impact on confidentiality or integrity. Published Tuesday, November 11, 2025
2.7	CVE-2025-42883 Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application. Published Tuesday, November 11, 2025
6.5	CVE-2025-42884 SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI provider.This could further lead to disclosure or modification of information about the server. There is no impact on availability. Published Tuesday, November 11, 2025
6.1	CVE-2025-42886 Due to a Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim accesses this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser context. This could allow the attacker to access or modify information within the victims browser scope, impacting confidentiality and integrity, while availability remains unaffected Published Tuesday, November 11, 2025
5.3	CVE-2025-42919 Due to an Information Disclosure vulnerability in SAP NetWeaver Application Server Java, internal metadata files could be accessed via manipulated URLs. An unauthenticated attacker could exploit this vulnerability by inserting arbitrary path components in the request, allowing unauthorized access to sensitive application metadata. This results in a partial compromise of the confidentiality of the information without affecting the integrity or availability of the application server. Published Tuesday, November 11, 2025
5.4	CVE-2025-36135 IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. Published Friday, November 7, 2025
8.8	CVE-2025-37736 Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configuration/security/service-accounts delete:/platform/configuration/security/service-accounts/{user_id} patch:/platform/configuration/security/service-accounts/{user_id} post:/platform/configuration/security/service-accounts/{user_id}/keys delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id} patch:/user post:/users post:/users/auth/keys delete:/users/auth/keys delete:/users/auth/keys/_all delete:/users/auth/keys/{api_key_id} delete:/users/{user_id}/auth/keys delete:/users/{user_id}/auth/keys/{api_key_id} delete:/users/{user_name} patch:/users/{user_name} Published Friday, November 7, 2025
2.7	CVE-2025-64682 In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit Published Monday, November 10, 2025
9.6	CVE-2025-64689 In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token Published Monday, November 10, 2025
5.3	CVE-2025-33150 IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages. Published Monday, November 10, 2025
6.8	CVE-2025-42892 Due to an OS Command Injection vulnerability in SAP Business Connector, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the systems confidentiality, integrity, and availability. Published Tuesday, November 11, 2025
6.8	CVE-2025-42894 Due to a Path Traversal vulnerability in SAP Business Connector, an attacker authenticated as an administrator with adjacent access could read, write, overwrite, and delete arbitrary files on the host system. Successful exploitation could enable the attacker to execute arbitrary operating system commands on the server, resulting in a complete compromise of the confidentiality, integrity, and availability of the affected system. Published Tuesday, November 11, 2025
6.9	CVE-2025-42895 Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that lead to unauthorized code loading, resulting in low impact on confidentiality and integrity and high impact on availability of the application. Published Tuesday, November 11, 2025
7.3	CVE-2025-7429 Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report. Published Tuesday, November 11, 2025
7.4	CVE-2025-64688 In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget Published Monday, November 10, 2025
N/A	CVE-2025-64099 Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the "claims_parameter_supported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the id_token or in the user_info. In the request of an authorize function, a claims parameter containing a JSON file can be injected. This JSON file allows attackers to customize the claims returned by the "id_token" and "user_info" files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, an attacker can choose the email address they want, and therefore assume any identity they choose. Version 16.0.0 fixes the issue. Published Wednesday, November 12, 2025
2.7	CVE-2025-64681 In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations Published Monday, November 10, 2025
5.3	CVE-2025-64683 In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API Published Monday, November 10, 2025
4.5	CVE-2025-64684 In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form Published Monday, November 10, 2025
8.1	CVE-2025-64685 In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure Published Monday, November 10, 2025
5.4	CVE-2025-64687 In JetBrains YouTrack before 2025.3.104432 improper access control allowed modify MCP tool logic Published Monday, November 10, 2025
5.4	CVE-2025-64690 In JetBrains YouTrack before 2025.3.104432 insecure Junie configuration could lead to data exposure and unauthorized changes Published Monday, November 10, 2025
7.5	CVE-2025-64518 The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format. Published Monday, November 10, 2025
6.1	CVE-2025-42893 Due to an Open Redirect vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site displayed within an embedded frame. Successful exploitation could allow the attacker to steal sensitive information and perform unauthorized actions, impacting the confidentiality and integrity of web client data. There is no impact to system availability resulting from this vulnerability. Published Tuesday, November 11, 2025
7.3	CVE-2025-7430 Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report. Published Tuesday, November 11, 2025
9.8	CVE-2025-8324 Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration. Published Tuesday, November 11, 2025
8.8	CVE-2025-9223 Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature. Published Tuesday, November 11, 2025
6.1	CVE-2025-63419 Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection. Published Wednesday, November 12, 2025
N/A	CVE-2025-11565 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request payload. Published Wednesday, November 12, 2025
5.4	CVE-2025-36223 IBM OpenPages 9.0 and 9.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. Published Wednesday, November 12, 2025
6.8	CVE-2025-11538 A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine. Published Thursday, November 13, 2025
2.7	CVE-2025-64773 In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit Published Tuesday, November 11, 2025
4.1	CVE-2025-63420 CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions. Published Friday, November 7, 2025
4.3	CVE-2025-12921 A vulnerability has been found in OpenClinica Community Edition up to 3.12.2/3.13. Affected by this issue is some unknown functionality of the file /ImportCRFData?action=confirm of the component CRF Data Import. Such manipulation of the argument xml_file leads to xml injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Sunday, November 9, 2025
6.3	CVE-2025-12922 A vulnerability was found in OpenClinica Community Edition up to 3.12.2/3.13. This affects an unknown part of the file /ImportCRFData?action=confirm of the component CRF Data Import. Performing manipulation of the argument xml_file results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, November 10, 2025
7.3	CVE-2025-7632 Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report. Published Tuesday, November 11, 2025
N/A	CVE-2025-47222 Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 3 of 3. Published Thursday, November 13, 2025
N/A	CVE-2025-47221 Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 2 of 3. Published Thursday, November 13, 2025
N/A	CVE-2025-47220 Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 1 of 3. Published Thursday, November 13, 2025
N/A	CVE-2025-12149 In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is trigged from a Signal's watch, the DLS rule is not enforced, allowing access to all documents in the queried indices. Published Friday, November 14, 2025
6.3	CVE-2025-13118 A vulnerability was detected in macrozheng mall-swarm up to 1.0.3. Affected by this issue is the function paySuccess of the file /order/paySuccess. The manipulation of the argument orderID results in improper authorization. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Thursday, November 13, 2025
4.3	CVE-2025-27368 IBM OpenPages 9.0 and 9.1 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used by the user interface of OpenPages. An authenticated user is able to obtain certain information about system metadata for areas beyond what the user is intended to view. Published Wednesday, November 12, 2025
6.5	CVE-2025-63617 ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data. Published Monday, November 10, 2025
7.3	CVE-2025-12925 A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. The manipulation results in missing authorization. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. Published Monday, November 10, 2025
5.4	CVE-2025-13116 A weakness has been identified in macrozheng mall-swarm up to 1.0.3. Affected is the function cancelUserOrder of the file /order/cancelUserOrder. Executing manipulation of the argument orderId can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. Published Thursday, November 13, 2025
7.3	CVE-2025-59118 Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. Published Wednesday, November 12, 2025
9.1	CVE-2025-63690 In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability. Published Friday, November 7, 2025
6.5	CVE-2025-63687 An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts. Published Friday, November 7, 2025
6.1	CVE-2025-60646 A stored cross-site scripting (XSS) in the Business Line Management module of Xxl-api v1.3.0 attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. Published Wednesday, November 12, 2025
6.5	CVE-2025-60645 A Cross-Site Request Forgery (CSRF) in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request. Published Wednesday, November 12, 2025
6.5	CVE-2025-61623 Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. Published Wednesday, November 12, 2025
6.3	CVE-2025-13114 A vulnerability was identified in macrozheng mall-swarm up to 1.0.3. This affects the function updateAttr of the file /cart/update/attr. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Thursday, November 13, 2025
4.3	CVE-2025-12924 A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. This issue affects the function GlobalResult of the file src/main/java/com/rymcu/forest/web/api/bank/BankController.java. The manipulation leads to missing authorization. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. Published Monday, November 10, 2025