#js

### Summary Short descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using `mw.util.addSubtitle`, allowing any user to insert arbitrary HTML into the DOM by editing a page. ### Details The description provided by the user via the `{{SHORTDESC:}}` parser function is insufficiently sanitized by the `sanitize()` function, as html entities are decoded: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159 Via JS, the short description is then passed to `mw.util.addSubtitle`, which inserts it as raw HTML: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8 https://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563 ### PoC 1. Enable ShortDescription 2. Make sure `$wgSho...

### Summary A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page More details: [CVE-2025-49826](https://vercel.com/changelog/cve-2025-49826) ## Credits - Allam Rachid [zhero;](https://zhero-web-sec.github.io/research-and-things/) - Allam Yasser (inzo)

### Summary A cache poisoning issue in **Next.js App Router >=15.3.0 and < 15.3.3** may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in **Next.js 15.3.3**. Users on affected versions should **upgrade immediately** and **redeploy** to ensure proper caching behavior. More details: [CVE-2025-49005](https://vercel.com/changelog/cve-2025-49005)

A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual `<script>` element. If an attacker injected an HTML element such as: ``` <img name="currentScript" src="https://malicious.example.com"> ``` it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an <img> element instead of the <script> tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements (e.g., name="currentScript") become properties on the global document object. ## Impact An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. ## Fix https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3 The issue was resolved by verifying that document.currentScript is an instance of HTMLScriptElement. If not, the script now fa...

### Summary eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys. ### Details ```go func fileUploadHandler(w http.ResponseWriter, r *http.Request) { switch r.Method { // Upload or overwrite a file case http.MethodPost: switch r.Header.Get("Content-Type") { case "application/json": fc := &fileContent{} defer r.Body.Close() err := json.NewDecoder(r.Body).Decode(fc) if err != nil { handleError(w, err, "Invalid body: Error decoding file json", logger) return } err = fc.Validate() if err != nil { handleError(w, err, "Invalid body: missing necessary field", logger) return } filePath := filepath.Join(uploadDir, fc.Name) err = upload(fc) ``` - The fc.Name parameter do not safely filtered. ### PoC ``` POST /co...

User claims to sell stolen Verizon and T-Mobile data for millions of users (online Verizon says data is old T-Mobile denies any breach and links to it.

### Summary A command injection vulnerability exists in the `git-mcp-server` MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). ### Details The MCP Server exposes tools (`git_add`, `git_init`, `git_logs`, etcc) to perform several git operations. An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. Below some example of vulnerable code and different ways to test this vulnerability including a real example of indirect prompt injection that can lead to arbitrary command injection...

### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. ### Workaround There are no app-side workarounds for this issue. You must update your Electron version to be protected. ### Patches - `v28.3.2` - `v29.3.3` - `v30.0.3` ### For More Information If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected]).

string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.

electron's ASAR Integrity can be bypass by modifying the content. ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are unimpacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `30.0.5` * `31.0.0-beta.1` ### For more information If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected])