Monthly
Apache Log4cxx XMLLayout before version 1.7.0 fails to sanitize XML-forbidden characters in log messages, NDC (Nested Diagnostic Context), and MDC (Mapped Diagnostic Context) properties, producing malformed XML that conforming parsers reject with fatal errors. Attackers who can influence logged data can exploit this to suppress individual log records, degrading audit trails and impairing detection of malicious activity. The vulnerability affects all versions prior to 1.7.0 across multiple distribution channels (native, Conan, Homebrew), with vendor-released patch version 1.7.0 now available.
Apache Log4net versions before 3.3.0 fail to sanitize XML 1.0-forbidden characters in MDC property keys and values, as well as identity fields, causing serialization exceptions that silently drop log events when XmlLayout or XmlLayoutSchemaLog4J are in use. An attacker who can influence these fields can suppress individual audit log records, impairing detection of malicious activity. No public exploit code or active exploitation has been confirmed; patch is available from the vendor.
Apache Log4j JsonTemplateLayout versions up to 2.25.3 generate invalid JSON when logging non-finite floating-point values (NaN, Infinity, -Infinity), violating RFC 8259 and causing downstream log processing systems to fail indexing or reject records. An unauthenticated remote attacker can trigger this by controlling floating-point values in MapMessages logged by vulnerable applications, resulting in data loss or processing failures in log aggregation pipelines. Vendor-released patch: version 2.25.4.
Apache Log4j Core's XmlLayout in versions up to 2.25.3 fails to sanitize XML-forbidden characters, producing malformed XML output when log messages or MDC values contain such characters. The impact varies by StAX implementation: JRE's built-in StAX silently writes invalid XML that conforming parsers reject, potentially causing downstream log-processing systems to drop records; alternative StAX implementations like Woodstox throw exceptions during logging calls, preventing event delivery to the intended appender. No public exploit code or active exploitation has been identified; this is a data integrity and log availability issue rather than a confidentiality or authentication bypass. Patch version 2.25.4 is available from Apache.
Log4j1XmlLayout in Apache Log4j 1-to-Log4j 2 bridge fails to escape XML 1.0-forbidden characters, causing malformed XML output that conforming XML parsers reject with fatal errors. This impacts downstream log processing systems that may drop or fail to index affected log records, affecting organizations using either Log4j1XmlLayout directly in Log4j Core 2 configurations or the deprecated Log4j 1 compatibility layer with XMLLayout. While no active exploitation has been confirmed, the vulnerability has a notable EPSS score and affects information disclosure integrity. Vendor-released patch version 2.25.4 is available.
Information disclosure in Apache Tomcat's JsonAccessLogValve allows unauthenticated remote attackers to retrieve sensitive data due to improper output encoding. Affects Tomcat versions 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. The vulnerability enables high-impact confidentiality breaches through network-accessible attack vectors with low complexity and no user interaction required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Stored cross-site scripting (XSS) in GLPI asset management software allows authenticated technician-level users to inject malicious JavaScript into supplier fields, achieving code execution in victim browsers with high confidentiality, integrity, and availability impact. Affects GLPI versions 0.60 through 10.0.23, patched in version 10.0.24. EPSS data not available; no public exploit identified at time of analysis, and not listed in CISA KEV. The CVSS score of 7.2 reflects network-accessible attack requiring high privileges but no user interaction, making this a medium-priority issue for organizations running vulnerable GLPI instances with multiple technician accounts.
A remote code execution vulnerability in OpenEMR (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Heimdall, an authorization decision API for Envoy proxy, contains a path traversal bypass vulnerability when used in gRPC decision API mode. Attackers can bypass non-wildcard path expression rules by appending query parameters to URLs, which causes incorrect URL encoding that prevents rule matching. A proof-of-concept is publicly available demonstrating the bypass, though exploitation requires heimdall to be configured with an insecure 'allow all' default rule (which is blocked by secure defaults since v0.16.0 unless explicitly disabled).
A code injection vulnerability in the jsPDF library allows attackers to inject arbitrary PDF objects, including malicious JavaScript actions, through unsanitized user input to the createAnnotation method. The vulnerability affects jsPDF versions prior to 4.2.1 and enables remote attackers to execute arbitrary code when a victim opens or interacts with a maliciously crafted PDF file. A proof-of-concept exploit is publicly available demonstrating how to launch system executables like calc.exe through PDF action injection.
Apache Log4cxx XMLLayout before version 1.7.0 fails to sanitize XML-forbidden characters in log messages, NDC (Nested Diagnostic Context), and MDC (Mapped Diagnostic Context) properties, producing malformed XML that conforming parsers reject with fatal errors. Attackers who can influence logged data can exploit this to suppress individual log records, degrading audit trails and impairing detection of malicious activity. The vulnerability affects all versions prior to 1.7.0 across multiple distribution channels (native, Conan, Homebrew), with vendor-released patch version 1.7.0 now available.
Apache Log4net versions before 3.3.0 fail to sanitize XML 1.0-forbidden characters in MDC property keys and values, as well as identity fields, causing serialization exceptions that silently drop log events when XmlLayout or XmlLayoutSchemaLog4J are in use. An attacker who can influence these fields can suppress individual audit log records, impairing detection of malicious activity. No public exploit code or active exploitation has been confirmed; patch is available from the vendor.
Apache Log4j JsonTemplateLayout versions up to 2.25.3 generate invalid JSON when logging non-finite floating-point values (NaN, Infinity, -Infinity), violating RFC 8259 and causing downstream log processing systems to fail indexing or reject records. An unauthenticated remote attacker can trigger this by controlling floating-point values in MapMessages logged by vulnerable applications, resulting in data loss or processing failures in log aggregation pipelines. Vendor-released patch: version 2.25.4.
Apache Log4j Core's XmlLayout in versions up to 2.25.3 fails to sanitize XML-forbidden characters, producing malformed XML output when log messages or MDC values contain such characters. The impact varies by StAX implementation: JRE's built-in StAX silently writes invalid XML that conforming parsers reject, potentially causing downstream log-processing systems to drop records; alternative StAX implementations like Woodstox throw exceptions during logging calls, preventing event delivery to the intended appender. No public exploit code or active exploitation has been identified; this is a data integrity and log availability issue rather than a confidentiality or authentication bypass. Patch version 2.25.4 is available from Apache.
Log4j1XmlLayout in Apache Log4j 1-to-Log4j 2 bridge fails to escape XML 1.0-forbidden characters, causing malformed XML output that conforming XML parsers reject with fatal errors. This impacts downstream log processing systems that may drop or fail to index affected log records, affecting organizations using either Log4j1XmlLayout directly in Log4j Core 2 configurations or the deprecated Log4j 1 compatibility layer with XMLLayout. While no active exploitation has been confirmed, the vulnerability has a notable EPSS score and affects information disclosure integrity. Vendor-released patch version 2.25.4 is available.
Information disclosure in Apache Tomcat's JsonAccessLogValve allows unauthenticated remote attackers to retrieve sensitive data due to improper output encoding. Affects Tomcat versions 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. The vulnerability enables high-impact confidentiality breaches through network-accessible attack vectors with low complexity and no user interaction required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Stored cross-site scripting (XSS) in GLPI asset management software allows authenticated technician-level users to inject malicious JavaScript into supplier fields, achieving code execution in victim browsers with high confidentiality, integrity, and availability impact. Affects GLPI versions 0.60 through 10.0.23, patched in version 10.0.24. EPSS data not available; no public exploit identified at time of analysis, and not listed in CISA KEV. The CVSS score of 7.2 reflects network-accessible attack requiring high privileges but no user interaction, making this a medium-priority issue for organizations running vulnerable GLPI instances with multiple technician accounts.
A remote code execution vulnerability in OpenEMR (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Heimdall, an authorization decision API for Envoy proxy, contains a path traversal bypass vulnerability when used in gRPC decision API mode. Attackers can bypass non-wildcard path expression rules by appending query parameters to URLs, which causes incorrect URL encoding that prevents rule matching. A proof-of-concept is publicly available demonstrating the bypass, though exploitation requires heimdall to be configured with an insecure 'allow all' default rule (which is blocked by secure defaults since v0.16.0 unless explicitly disabled).
A code injection vulnerability in the jsPDF library allows attackers to inject arbitrary PDF objects, including malicious JavaScript actions, through unsanitized user input to the createAnnotation method. The vulnerability affects jsPDF versions prior to 4.2.1 and enables remote attackers to execute arbitrary code when a victim opens or interacts with a maliciously crafted PDF file. A proof-of-concept exploit is publicly available demonstrating how to launch system executables like calc.exe through PDF action injection.