#java

Red Hat Security Advisory 2023-6207-01 - Red Hat JBoss Web Server 5.7.6 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include an information leakage vulnerability.

Red Hat Security Advisory 2023-6206-01 - An update is now available for Red Hat JBoss Web Server 5.7.6 on Red Hat Enterprise Linux versions 7, 8, and 9. Issues addressed include an information leakage vulnerability.

IBM CICS TX Advanced 10.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 260821.

IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 267484.

A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war. The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name Imperial Kitten, and which is also known as Crimson Sandstorm (previously Curium),

sentry-javascript provides Sentry SDKs for JavaScript. An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This issue only affects users who have Next.js SDK tunneling feature enabled. The problem has been fixed in version 7.77.0.

### Impact An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors: * client-side vulnerabilities: XSS/CSRF in the context of the trusted domain; * interaction with internal network; * read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.); * local/remote port scan. This issue only affects users who have [Next.js SDK tunneling feature](https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#configure-tunneling-to-avoid-ad-blockers) enabled. ### Patches The problem has been fixed in [sentry/nextjs@7.77.0](https://www.npmjs.com/package/@sentry/nextjs/v/7.77.0) ### Workarounds Disable tunneling by removing the `tunnelRoute` option from Sentry Next.js SDK config — `next.config.js` or `next.config.mjs`. ### References * [Sentry Next.js tunneling feature](https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#confi...

Cross Site Scripting (XSS) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to run arbitrary code via the new component feature in the flexibleLayout plugin.

### Impact This advisory addresses an issue when a DynamoDB Set attribute is marked as SIGN_ONLY in the AWS Database Encryption SDK (DB-ESDK) for DynamoDB. This also includes when a Set is part of a List or a Map. DB-ESDK for DynamoDB supports `SIGN_ONLY` and `ENCRYPT_AND_SIGN` attribute actions. In version 3.1.0 and below, when a Set type is assigned a `SIGN_ONLY` attribute action, there is a chance that signature validation of the record containing a Set will fail on read, even if the Set attributes contain the same values. The probability of a failure depends on the order of the elements in the Set combined with how DynamoDB returns this data, which is undefined. This update addresses the issue by ensuring that any Set values are canonicalized in the same order while written to DynamoDB as when read back from DynamoDB. ### Patches Fixed in version 3.1.1 We recommend all users upgrade as soon as possible. ### Workarounds None ### References For more information on how to addres...

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).