#java

### Summary A Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a moderate risk to all users. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ It's possible to inject html elements, including scripts through the [folder-list template](https://github.com/oxyno-zeta/s3-proxy/blob/master/templates/folder-list.tpl#L19C21-L19C38). It seems like the `.Request.URL.Path` variable is not escaped. I did some research and found it might be due to the `text/template` import being used in [the template implementation](https://github.com/oxyno-zeta/s3-proxy/blob/master/pkg/s3-proxy/utils/templateutils/template.go#L8), instead of the [safer](https://pkg.go.dev/html/template) `html/template`. ### PoC _Complete instructions, including ...

### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document. This vulnerability affects only installations with [Real-time collaborative editing](https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html) enabled. ### Patches The problem has been recognized and patched. The fix will be available in version 44.2.1 (and above). ### For more information Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn…

Google is allowing its advertizing customers to fingerprint website visitors. Can you stop it?

Google warns that hackers tied to Russia are tricking Ukrainian soldiers with fake QR codes for Signal group invites that let spies steal their messages. Signal has pushed out new safeguards.

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Researchers earned a $50,500 Bug Bounty after uncovering a critical supply chain flaw in a newly acquired firm,…

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "

### Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. ### Details The issue occurs at [line 52](https://github.com/octokit/request-error.js/blob/main/src/index.ts) of iterator.ts in the @octokit/request-error repository. The vulnerability is caused by the use of an inefficient regular expression in the handling of the `authorization` header within the request processing logic: ```js authorization: options.request.headers.authorization.replace( / .*$/, " [REDACTED]" ) ``` The regular expression `/ .*$/` matches a space followed by any number of characters until the end of th...

### Summary The `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS. ### Details [`vlSelectionTuples`](https://github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.js#L14) calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. Example call: `vlSelectionTuples([{datum:<argument>}], {fields:[{getter:<function>}]})` This can be used to call `Function()` with arbitrary JavaScript and the resulting function can be called with `vlSelectionTuples` or using a type coercion to call `toString` or `valueOf`. ### PoC ``` {"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","init":"+{valueOf:vlSelectionTuples([{datum:'alert(1)'}],{fields:[{getter:[].at.constructor}]})[0].values[0]}"}]} ```