{"vulnerability": "CVE-2023-4760", "sightings": [{"uuid": "6402e68a-fcba-45a2-85f0-9ad3fb6de789", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-47609", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/749", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-47609\n\ud83d\udd39 Description: SQL injection vulnerability in OSS Calendar versions prior to v.2.0.3 allows a remote authenticated attacker to execute arbitrary code or obtain and/or alter the information stored in the database by sending a specially crafted request.\n\ud83d\udccf Published: 2023-11-14T05:12:19.484Z\n\ud83d\udccf Modified: 2025-01-08T16:44:16.361Z\n\ud83d\udd17 References:\n1. https://oss-calendar.com/news/20231113/\n2. https://jvn.jp/en/jp/JVN67822421/", "creation_timestamp": "2025-01-08T17:18:09.000000Z"}, {"uuid": "b7ea18d5-e3f7-4a39-937e-1e4629b1a2f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-4760", "type": "seen", "source": "https://t.me/cibsecurity/70876", "content": "\u203c CVE-2023-4760 \u203c\n\nIn Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component.The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \\ (backslashes) coming further back are kept.For example, a file name such as /..\\..\\webapps\\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\\..\\webapps\\shell.war in its webapps directory and can then be executed.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-21T12:30:57.000000Z"}]}