#java

The export function in SoftGuard Web (SGW) before 5.1.5 allows directory traversal to read an arbitrary local file via export or man.tcl.

An issue was discovered in Gentics CMS before 5.43.1. There is stored XSS in the profile description and in the username.

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

### Impact This only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. Example: ```javascript import cp from "node:child_process"; import * as shescape from "shescape"; // 1. Prerequisites const options = { shell: "bash", // Or shell: "dash", // Or shell: "powershell.exe", // Or shell: "zsh", // Or shell: undefined, // Only if the default shell is one of the affected shells. }; // 2. Attack (one of multiple) const payload = "foo #bar"; // 3. Usage let escapedPayload; shescape.escape(payload, { interpolation: true }); // Or shescape.escapeAll(payload, { interpolation: true }); cp.execSync(`echo Hello ${escapedPayload}!`, options); // _Output depends on the shell being used_ ``` The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. - Affected shells: _Bash_...

### Impact This impacts users that use Shescape (any API function) to escape arguments for **cmd.exe** on **Windows**. An attacker can omit all arguments following their input by including a line feed character (`'\n'`) in the payload. Example: ```javascript import cp from "node:child_process"; import * as shescape from "shescape"; // 1. Prerequisites const options = { shell: "cmd.exe", }; // 2. Attack const payload = "attacker\n"; // 3. Usage let escapedPayload; escapedPayload = shescape.escape(payload, options); // Or escapedPayload = shescape.escapeAll([payload], options)[0]; // Or escapedPayload = shescape.quote(payload, options); // Or escapedPayload = shescape.quoteAll([payload], options)[0]; cp.execSync(`echo Hello ${escapedPayload}! How are you doing?`, options); // Outputs: "Hello attacker" ``` > **Note**: `execSync` is just illustrative here, all of `exec`, `execFile`, `execFileSync`, `fork`, `spawn`, and `spawnSync` can be attacked using a line feed character if CM...

Togglz is an implementation of the Feature Toggles pattern for Java. There is no CSRF protection in the togglz console and could allow an attacker to guess the CSRF token value. Version 2.9.4 adds the necessary CSRF protection.

### Overview A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of the AWS SDK for Java v1. Applications using the SDK control the `destinationDirectory` argument, but S3 object keys are determined by the application that uploaded the objects. The `downloadDirectory` method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. Under certain conditions, this could permit them to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory. This issue’s scope is limited to directories whose name prefix matches the destinationDirectory. E.g. for destination directory`/tmp/foo`, the actor can cause a download to `/tmp/foo-bar`, but not `/tmp/bar`. Versions of the AWS Java SDK for S3 v1 before an...

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.

The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the `downloadDirectory` method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the `destinationDirectory` argument, but S3 object keys are determined by the application that uploaded the objects. The `downloadDirectory` method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. Under certain conditions, this could permit them to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory. This issue’s scope is limited to directories whose name prefix matches the destinationDirectory. E.g. for destination directory`/tmp/foo`, the actor can cause a download ...

Adobe RoboHelp versions 2020.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.