Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. The standard format for interpolation is "$", where "prefix" is used to locate an instance of 2.interpol.Lookup that performs the interpolation.
Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page.Īpache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.Ī carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. No future releases of Apache Xalan Java to address this issue are expected.
The Apache Xalan Java project is dormant and in the process of being retired. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.
When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can't establish the connection.Īpache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection.
From Apache Calcite Avatica 1.22.0 onwards, it will be verified that the class implements the expected interface before invoking its constructor.Ī vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. To exploit the vulnerability: 1) the attacker needs to have privileges to control JDBC connection parameters 2) and there should be a vulnerable class (constructor with URL parameter and ability to execute code) in the classpath.
Affected versions allow a logged-in user to run applications with elevated privileges via the Clipboard Compare tray app after installation.Īpache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `httpclient_impl` connection property however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare cases remote code execution.
There is an elevation of privilege breakout vulnerability in the Windows EXE installer in Scooter Beyond Compare 4.2.0 through 4.4.2 before 4.4.3. If a standard user places malicious DLLs in the C:\Windows\Temp\ folder, and then the uninstaller is run as SYSTEM, the DLLs will execute with elevated privileges. The uninstaller attempts to load DLLs out of a Windows Temp folder. A DLL hijacking vulnerability exists in the uninstaller in Scooter Beyond Compare 1.8a through 4.4.2 before 4.4.3 when installed via the EXE installer.