#java

### Impact **Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role `ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organisations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. ### Patches 2.x versions are fixed on >= [2.2.0](https://github.com/zitadel/zitadel/releases/tag/v2.2.0) 1.x versions are fixed on >= [1.87.1](https://github.com/zitadel/zitadel/releases/tag/v1.87.1) ZITADEL recommends upgrading to the latest versions available in due course. ### Workarounds There is no workaround since a patch is already available. ### Who did disclose this During our recu...

### Introduction Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. ### Impact The tags and multiselect fields allow to select tags from an autocompleted list. The tags field also allows to enter new tags or edit existing tags. Kirby already handled escaping of the autocompleted tags, but unfortunately the Panel used HTML rendering for new or edited tags as well as for custom tags from the content file. This allowed **attackers with Panel access** to store malicious HTML code in a tag. Th...

The phishing campaign deploying a ScanBox reconnaissance framework has targeted the Australian government and companies maintaining wind turbines in the South China Sea.

Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.

Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs

The first-of-its-kind campaign threatens to remove code packages if developers don’t submit their code to a "validation" process.

ODGen tool was presented at this year’s Usenix Security Symposium

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

All versions of package x-data-spreadsheet are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of values inserted into the cells.

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.