#java

Unauthenticated attackers can exploit a weakness in the password reset functionality of the Visual Planning application in order to obtain access to arbitrary user accounts including administrators. In case administrative (in the context of Visual Planning) accounts are compromised, attackers can install malicious modules into the application to take over the application server hosting the Visual Planning application. All versions prior to Visual Planning 8 (Build 240207) are affected.

A wildcard injection inside a prepared SQL statement was found in an undocumented Visual Planning 8 REST API route. The combination of fuzzy matching (via LIKE operator) and user-controlled input allows exfiltrating the REST API key based on distinguishable server responses. If exploited, attackers are able to gain administrative access to the REST API version 2.0.

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in playlist.php.

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in racer-results.php.

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in inc/kiosks.inc.

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo-thumbs.php.

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in checkin.php.

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo.php.

Seo Panel version 4.7.0 suffers from a cross site scripting vulnerability.

Red Hat Security Advisory 2024-1678-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.