#java

### Impact The mail obfuscation configuration was not fully taken into account and while the mail displayed to the end user was obfuscated: - the rest response was also containing the mail unobfuscated - user were able to filter and sort on the unobfuscated (allowing to infer the mail content) The consequence was the possibility to retrieve the email addresses of all users even when obfuscated. See https://jira.xwiki.org/browse/XWIKI-20333 for the reproduction steps. ### Patches This has been patched in XWiki 14.10.4, XWiki 14.4.8, and XWiki 15.0-rc-1. ### Workarounds The workaround is to modify the page `XWiki.LiveTableResultsMacros` following this [patch](https://github.com/xwiki/xwiki-platform/commit/71f889db9962df2d385f4298e29cfbc9050b828a#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a). ### References https://jira.xwiki.org/browse/XWIKI-20333 ### For more information If you have any questions or comments about this advisory: * Open an issue in [J...

### Impact Tags from pages not viewable to the current user are leaked by the tags API. This information can also be exploited to infer the document reference of non-viewable pages. ### Patches This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1. ### Workarounds There is no workaround apart from upgrading to a fixed version. ### References - https://jira.xwiki.org/browse/XWIKI-20002 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

### Impact Any user who can edit a document in a wiki like the user profile can create a stored XSS attack by putting plain HTML code into that document and then tricking another user to visit that document with the `displaycontent` or `rendercontent` template and plain output syntax. For example, edit any document with the wiki editor and set the content to `<script>alert(1)</script>` , save and then append the parameters `?viewer=displaycontent&sheet=&outputSyntax=plain`. If this displays an alert, the installation is vulnerable. If a user with programming rights is tricked into visiting such a URL, arbitrary actions be performed with this user's rights, impacting the confidentiality, integrity, and availability of the whole XWiki installation. ### Patches This has been patched in XWiki 14.4.8, 14.10.5 and 15.1RC1 by setting the content type of the response to plain text when the output syntax is not an HTML syntax. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platfo...

Cross Site Request Forgery vulnerability in Gila GilaCMS v.1.11.4 allows a remote attacker to execute arbitrary code via the cm/update_rows/user parameter.

Cross Site Scripting vulnerability in khodakhah NodCMS v.3.0 allows a remote attacker to execute arbitrary code and gain access to senstivie information via a crafted script to the address parameter.

Ubuntu Security Notice 6179-1 - It was discovered that Jettison incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

Symantec SiteMinder WebAgent version 12.52 suffers from a cross site scripting vulnerability.

Student Study Center Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

Tenda AC6 AC1200 version 15.03.06.50_multi suffers from a persistent cross site scripting vulnerability.

By Deeba Ahmed Threat actors have been taking over abandoned S3 buckets to launch malicious binaries, steal login credentials and more. This is a post from HackRead.com Read the original post: Supply Chain Attack: Abandoned S3 Buckets Used for Malicious Payloads