#java

[Note] This is a separate issue from the RCE vulnerability (State Pollution) currently being patched. While related to tokensecurity.js, it involves different endpoints and risks. ### Summary An unauthenticated information disclosure vulnerability allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. ### Details The vulnerability stems from the fact that several sensitive API endpoints are not included in the authentication middleware's protection list in `src/tokensecurity.js`. **Vulnerable Code Analysis:** 1. **Missing Protection**: The `tokensecurity.js` file defines an array of paths that require authentication. However, the following paths defined in `src/serverroutes.ts` are missing from this list: - `/skServer/serialports` - `/skServer/availablePaths` - `/skServer/hasAnalyzer` 2. **Unrestricted Access*...

### Summary A Denial of Service (DoS) vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. ### Details The vulnerability is caused by a lack of rate limiting and improper memory management for incoming access requests. **Vulnerable Code Analysis:** 1. **In-Memory Storage**: In `src/requestResponse.js`, requests are stored in a simple JavaScript object: ```javascript const requests = {} ``` 2. **Unbounded Growth**: The `createRequest` function adds new requests to this object without checking the current size or count of existing requests. 3. **Infrequent Pruning**: The `pruneRequests` function, which removes old requests, runs only once every **15 minutes** (`pruneIntervalRate`). 4. **No Rate Limiting**: The endpoint `/signalk/v1/access/requests` accepts POST requests...

Conventional development frequently results in a trade-off between speed and brand consistency, which harms reputation by causing delays…

The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it’s that threat actors don’t pause for holidays or resolutions. They just evolve faster. This week’s round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what “cybercrime” looks like in

### Impact The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads. An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.16 or later. ### Resources The XSS vulnerability was reported by HackerOne researcher [michaelcheers](https://hackerone.com/michaelcheers?type=user).

The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster, has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox. The activity is assessed to be the work of a Chinese threat actor that Koi Security is tracking under the moniker DarkSpectre. In all, the

Cybersecurity researchers have disclosed details of what appears to be a new strain of Shai Hulud on the npm registry with slight modifications from the previous wave observed last month. The npm package that embeds the novel Shai Hulud strain is "@vietmoney/react-big-calendar," which was uploaded to npm back in March 2021 by a user named "hoquocdat." It was updated for the first time on

### Summary The `arrayLimit` option in qs does not enforce limits for bracket notation (`a[]=1&a[]=2`), allowing attackers to cause denial-of-service via memory exhaustion. Applications using `arrayLimit` for DoS protection are vulnerable. ### Details The `arrayLimit` option only checks limits for indexed notation (`a[0]=1&a[1]=2`) but completely bypasses it for bracket notation (`a[]=1&a[]=2`). **Vulnerable code** (`lib/parse.js:159-162`): ```javascript if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } ``` **Working code** (`lib/parse.js:175`): ```javascript else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } ``` The bracket notation handler at line 159 uses `utils.combine([], leaf)` without validating against `options.arrayLimit`, while indexed notation at line 175 checks `index <= options.arrayLimit` before creating arrays. ### PoC **Test 1 - Basic bypass:** ```bash npm i...

A stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session.

### Summary A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose **display name** contains HTML entities (e.g., `&lt;img ...&gt;`). When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. ### Details Root cause is the following chain: - **User-controlled input stored**: attacker-provided `display_name` (real name) is stored in DB (often as HTML entities, e.g., `&lt;img ...&gt;`). - **Decode on read**: `phpmyfaq/src/phpMyFAQ/User/UserData.php` decodes `display_name` using `html_entity_decode(...)` (“for backward compatibility”). - **Unsafe sink**: admin user list renders the decoded value unescaped using Twig `|raw`: - `phpmyfaq/assets/templates/admin/user/users.twig` (users table uses `{{ user.display_name|raw }}`) As a result, an entity-encoded payload becomes active ...