#java

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.

Jenkins uses the Remoting library (typically `agent.jar` or `remoting.jar`) for the communication between controller and agents. This library allows agents to load classes and classloader resources from the controller, so that Java objects sent from the controller (build steps, etc.) can be executed on agents. In addition to individual class and resource files, Remoting also allows Jenkins plugins to transmit entire jar files to agents using the `Channel#preloadJar` API. As of publication of this advisory, this feature is used by the following plugins distributed by the Jenkins project: bouncycastle API, Groovy, Ivy, TeamConcert In Remoting 3256.v88a_f6e922152 and earlier, except 3206.3208.v409508a_675ff and 3248.3250.v3277a_8e88c9b_, included in Jenkins 2.470 and earlier, LTS 2.452.3 and earlier, calls to `Channel#preloadJar` result in the retrieval of files from the controller by the agent using `ClassLoaderProxy#fetchJar`. Additionally, the implementation of `ClassLoaderProxy#fetc...

Red Hat Security Advisory 2024-5025-03 - Red Hat JBoss Web Server 5.8.1 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.

Covid-19 Directory on Vaccination System version 1.0 suffers from an ignored default credential vulnerability.

Red Hat Security Advisory 2024-5024-03 - An update is now available for Red Hat JBoss Web Server 5.8 on Red Hat Enterprise Linux versions 7, 8, and 9.

Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances. "When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's

Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

### Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. ### Details Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules: https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 - If the string is an attribute value: - `"` -> `&quot;` - `&` -> `&amp;` - Other characters -> No conversion - Otherwise: - `<` -> `&lt;` - `>` -> `&gt;` - `&` -> `&amp;` - Other characters -> No conversion It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). ## PoC A vulnerable component: ```javascript import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city"; export default component$(() => { // user input cons...

Concert Ticket Reservation System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Computer Laboratory Management System version 1.0 suffers from an ignored default credential vulnerability.