#java

### Summary Short descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using `mw.util.addSubtitle`, allowing any user to insert arbitrary HTML into the DOM by editing a page. ### Details The description provided by the user via the `{{SHORTDESC:}}` parser function is insufficiently sanitized by the `sanitize()` function, as html entities are decoded: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159 Via JS, the short description is then passed to `mw.util.addSubtitle`, which inserts it as raw HTML: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8 https://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563 ### PoC 1. Enable ShortDescription 2. Make sure `$wgSho...

### Summary Short descriptions set via the [ShortDescription extension](https://www.mediawiki.org/wiki/Extension:ShortDescription) are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. ### Details The `shortdesc` property, which contains unsanitized user input, is retrieved from the OutputPage and returned as the tagline: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/includes/Components/CitizenComponentPageHeading.php#L249-L251 The tagline is then provided to the template data: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/includes/Components/CitizenComponentPageHeading.php#L270-L275 The template then inserts the tagline into raw HTML without doing any escaping: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/templates/PageHeading.mustache#L12 ...

### Summary This vulnerability affects JUnit's support for writing Open Test Reporting XML files which is an opt-in feature of `junit-platform-reporting`. If a repository is cloned using a GitHub token or other credentials in its URL, for example: ```bash git clone https://${GH_APP}:${GH_TOKEN}@github.com/example/example.git ``` The credentials are captured by `OpenTestReportGeneratingListener` which produces (trimmed for brevity): ```xml <infrastructure> <git:repository originUrl="https://username:[email protected]/example/example.git" /> </infrastructure> ``` ### Details https://github.com/junit-team/junit5/blob/6b7764dac92fd35cb348152d1b37f8726875a4e0/junit-platform-reporting/src/main/java/org/junit/platform/reporting/open/xml/OpenTestReportGeneratingListener.java#L183 I think this should be configurable in some way to exclude select git information or exclude it entirely. ### PoC 1. Clone a repo using a GitHub token as shown above. 2. Enable the listener `junit.platfor...

Google has released an urgent update for the Chrome browser to patch a vulnerability which has already been exploited.

Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild. The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine. "Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary

Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.

In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics.

### Summary Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. ### Details The `args` provided within the wikitext as attributes to the `<tabber>` tag are passed to the TabberComponentTabs class: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php#L76 In TabberComponentTabs, the attributes are validated before being supplied to the Tabs template. https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php#L15-L31 However, the validation is insufficient. What `Sanitizer::validateTagAttributes` does is call `validateAttributes`, which ``` * - Discards attributes not on the given list * - Unsafe style attributes are discarded * - Invalid id attributes are re-encoded ``` However, the attribute values are expected to be escaped when inserte...

## Summary ## The Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser ## Impact ## A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed. Malicious actions that are possible include: * Obtaining a user's session token * Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights) ## Vulnerability Description ## Most Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called `xss.md` with the following content: ```markdown # Hallo <b>foo</b> <img src="xx" onerror=alert(9)> <i>bar</i> ``` Bold and italic text ...

### Summary A stored XSS is present in Gogs which allows client-side Javascript code execution. ### Details Gogs Version: ``` docker images REPOSITORY TAG IMAGE ID CREATED SIZE gogs/gogs latest fe92583bc4fe 10 hours ago 99.3MB ``` Application version: `0.14.0+dev` Local setup using: ```bash # Pull image from Docker Hub. docker pull gogs/gogs # Create local directory for volume. sudo mkdir -p /var/gogs # Use `docker run` for the first time. docker run --name=gogs -p 10022:22 -p 10880:3000 -v /var/gogs:/data gogs/gogs ``` The vulnerability is caused by the usage of a vulnerable and outdated component: `pdfjs-1.4.20` under public/plugins/. Read more about this vulnerability at [codeanlabs - CVE-2024-4367](https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/). ### PoC 1. Upload the Proof of Concept file hosted at https://codeanlabs.com/wp-content/uploads/2024/05/poc_generalized_CVE-2024-4367.pdf in a repository. 2. ...