#vulnerability

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI. This allows attackers with View/Read permission to view encrypted values of secrets. Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view `config.xml` accessed via REST API or CLI for users lacking View/Configure permission.

A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.

An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to use the `|attr` filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the `|attr` filter no longer bypasses the environment's attribute lookup.

### Impact Dgl implements rpc server (start_server() in rpc_server.py) for supporting the RPC communications among different remote users over networks. It relies on pickle serialize and deserialize to pack and unpack network messages. The is a known risk in pickle deserialization functionality that can be used for remote code execution. ### Patches TBD. ### Workarounds When running DGL distributed training and inference (DistDGL) make sure you do not assign public IPs to any instance in the cluster. ### References Issue #7874 ### Reported by Pinji Chen ([cpj24@mails.tsinghua.edu.cn](mailto:cpj24@mails.tsinghua.edu.cn)) from NISL lab (https://netsec.ccert.edu.cn/about) at Tsinghua University

Malicious, user-crafted request payloads could potentially lead to remote code execution within Volt components.

When using wildcard validation to validate a given file or image field array (`files.*`), a user-crafted malicious request could potentially bypass the validation rules.

### Summary Reflected cross-site scripting (XSS) is a type of web vulnerability that occurs when a web application fails to properly sanitize user input, allowing an attacker to inject malicious code into the application's response to a user's request. When the user's browser receives the response, the malicious code is executed, potentially allowing the attacker to steal sensitive information or take control of the user's account. ### Details On the latest version of Redaxo, v5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting (XSS) on the page of AddOns. ### PoC 1. Login Redaxo as administrative user. 2. Navigate to the URL: [http://localhost/redaxo/index.php?page=packages&rex-api-call=package&&rex-api-result={%22succeeded%22%3Atrue%2C%22message%22%3A%22%3Cimg%20src=x%20onerror=alert(document.domain);%3E%22}](http://localhost/redaxo/index.php?page=packages&rex-api-call=package&&rex-api-result=%7B%22succeeded%22%3Atrue%2C%22message%22%3A%22%3Cimg%20s...

### Summary A denial-of-service (DoS) vulnerability in OpenDJ has been discovered that causes the server to become unresponsive to all LDAP requests without crashing or restarting. This issue occurs when an alias loop exists in the LDAP database. If an `ldapsearch` request is executed with alias dereferencing set to "always" on this alias entry, the server stops responding to all future requests. I have confirmed this issue using the latest OpenDJ version (9.2), both with the official OpenDJ Docker image and a local OpenDJ server running on my Windows 10 machine. ### Details An unauthenticated attacker can exploit this vulnerability using a single crafted `ldapsearch` request. Fortunately, the server can be restarted without data corruption. While this attack requires the existence of an alias loop, I am uncertain whether such loops can be easily created in specific environments or if the method can be adapted to execute other DoS attacks more easily. ### PoC (Steps to Reproduce) 1. ...

### Summary An arbitrary file upload vulnerability was identified in the redaxo. This flaw permits users to upload malicious files, which can lead to JavaScript code execution and distribute malware. ### Details On the latest version of Redaxo, v5.18.2, the mediapool/media page is vulnerable to arbitrary file upload. ### PoC 1. Log in to the portal then navigate to `Mediapool`. 2. Upload a png file (ex: poc.png)  3. Intercept the upload HTTP request on burp suite and change `filename: poc.1html`, `Content-Type:image/html` and insert the malicious html code. (ex: `<IFRAME SRC="javascript:alert(1);"></IFRAME>`)  4. Forward the request. 5. Navigate to the file.  ![4](https://github.com/user-attachments/assets/29db80e3-a5b9-43...

### Impact The Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee. After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have been addressed as part of this this security update. ### Patches Lucee 5.4.3.2 and 5.3.12.1 stable releases have been patched with additional hardening The older releases, 5.3.7.59., 5.3.8.236 and 5.3.9.173 have also been patched Any users running older release, should plan to immediately upgrade to the latest stable release 6.0 will have a RC as it's not yet released