Critical SQL injection vulnerability in XWiki that allows unauthenticated remote attackers to execute arbitrary SQL queries against Oracle databases by exploiting insufficient validation of native SQL functions (DBMS_XMLGEN, DBMS_XMLQUERY) in Hibernate query processing. The vulnerability affects XWiki versions before 16.10.2, 16.4.7, and 15.10.16, with a CVSS score of 9.8 indicating critical severity and complete compromise of confidentiality, integrity, and availability. This is a pre-authentication remote code execution vector with no user interaction required.
A authentication bypass vulnerability in all (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
Archive::Unzip::Burst, a Perl module for ZIP file extraction (versions 0.01-0.09), bundles a vulnerable version of the InfoZip library affected by three critical memory corruption vulnerabilities (CVE-2014-8139, CVE-2014-8140, CVE-2014-8141). An unauthenticated remote attacker can exploit these vulnerabilities by crafting a malicious ZIP file to achieve arbitrary code execution with a CVSS score of 9.8, representing critical severity. The vulnerability requires no user interaction or special privileges and can be exploited over the network.
Critical authentication bypass vulnerability in vantage6 (an open-source federated learning and privacy-enhancing technology framework) that allows attackers with valid authenticated session access to brute-force user passwords through the change password endpoint without rate limiting or account lockout protections. An attacker can enumerate passwords infinitely by calling the password change route repeatedly, receiving detailed error messages indicating password correctness. The vulnerability affects vantage6 versions prior to 4.11 and carries a CVSS score of 9.8 (critical severity).
Critical unauthenticated SQL injection vulnerability in the JEvents component for Joomla that allows remote attackers to execute arbitrary SQL queries through publicly accessible date range filtering actions. The vulnerability affects JEvents versions before 3.6.88 and 3.6.82.1, enabling attackers to extract sensitive database information, modify data, or potentially achieve remote code execution. With a CVSS score of 9.3 and network-based attack vector requiring no privileges or user interaction, this represents a severe risk to all unpatched Joomla installations using vulnerable JEvents versions.