#java

Cross Site Scripting vulnerability in khodakhah NodCMS v.3.0 allows a remote attacker to execute arbitrary code and gain access to senstivie information via a crafted script to the address parameter.

Ubuntu Security Notice 6179-1 - It was discovered that Jettison incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

Symantec SiteMinder WebAgent version 12.52 suffers from a cross site scripting vulnerability.

Student Study Center Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

Tenda AC6 AC1200 version 15.03.06.50_multi suffers from a persistent cross site scripting vulnerability.

By Deeba Ahmed Threat actors have been taking over abandoned S3 buckets to launch malicious binaries, steal login credentials and more. This is a post from HackRead.com Read the original post: Supply Chain Attack: Abandoned S3 Buckets Used for Malicious Payloads

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.

Jenkins Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

PyBB is an open source bulletin board. A manual code review of the PyBB bulletin board server has revealed that a vulnerability could have been exploited in which users could submit any type of HTML tag, and have said tag run. For example, a malicious `<a>` that looks like ```<a href=javascript:alert (1)>xss</a>``` could have been used to run code through JavaScript on the client side. The problem has been patched as of commit `5defd92`, and users are advised to upgrade. Attackers do need posting privilege in order to exploit this vulnerability. This vulnerability is present within the 0.1.0 release, and users are advised to upgrade to 0.1.1. Users unable to upgrade may be able to work around the attack by either; Removing the ability to create posts, removing the `|safe` tag from the Jinja2 template titled "post.html" in templates or by adding manual validation of links in the post creation section.