#java

A carefully crafted request using the Image plugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.3 or later.

** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).  As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) malware called JSCEAL that can capture data from credentials and wallets. The activity leverages thousands of malicious advertisements posted on Facebook in an attempt to redirect unsuspecting victims to counterfeit sites that instruct

React conquered XSS? Think again. That's the reality facing JavaScript developers in 2025, where attackers have quietly evolved their injection techniques to exploit everything from prototype pollution to AI-generated code, bypassing the very frameworks designed to keep applications secure. Full 47-page guide with framework-specific defenses (PDF, free). JavaScript conquered the web, but with

### Summary An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including `m3u` files. ### Details Multimedia metadata is rendered in the web-app without sanitization. This can be exploited in two ways: * a user which has the necessary permission for uploading files can upload a song with an artist-name such as `<img src=x onerror=alert(document.domain)>` * an unauthenticated user can trick another user into clicking a malicious URL, performing this same exploit using an externally-hosted m3u file The CVE score and PoC is based on the m3u approach, which results in a higher severity. ### PoC 1. Create a file named `song.m3u` with the following content. Host this file on an attacker-controlled web server. ```m3u #EXTM3U #EXTINF:1,"><img src=x onerror=alert(document.domain)> - "><img src=x onerror=alert(document.domain)> http://example.com/audio.mp3 ``` ...

### Description The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production. The library does not prevent Localhost access (neither does it prevent LAN addresses such as 192.168.x.x) , thus is not safe for use in production by ActivityPub applications. The only check for localhost is done for selecting between HTTP and HTTPS protocols, and it is done by testing for a host that starts with the string “localhost” and ends with a port. Anything else (such as “127.0.0.1” or “localhost:1234/abc”) would not be considered localhost for this test. In addition, the way that the function determines the host, makes it possible to access any path in the host, not only “/.well-known/...” paths: ```javascript if (address.indexOf('://') > -1) { // other uri for...

### Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: `org.opencastproject.security.digest.user` and `org.opencastproject.security.digest.pass`) when attempting to fetch mediapackage elements included in a mediapackage XML file. A [previous CVE](https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9) prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch. ### Impact Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. ### Patches This issue is fixed in Opencast 17.6 If you have any questions or comments about this advisory: - Open an issue in our [issue tracker](https://github.com/opencast/opencast/issues) - Email us at security@opencast.org

Staff augmentation is a strategy for smart tech teams looking to launch something big. Trying to plug skill gaps or scale without the overhead? Collaborate with a trusted IT staff augmentation company.

Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().

### Summary form-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: 1. can observe other values produced by Math.random in the target application, and 2. can control one field of a request made using form-data Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request. This is largely the same vulnerability as was [recently found in `undici`](https://hackerone.com/reports/2913312) by [`parrot409`](https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to giv...