Security
Headlines
HeadlinesLatestCVEs

Tag

#java

GHSA-vr85-5pwx-c6gq: OMERO.web must check that the JSONP callback is a valid function

### Background There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is `/webclient/imgData/...`. As we only really use these endpoints with jQuery's own callback name generation [^1] it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins. [^1]: https://learn.jquery.com/ajax/working-with-jsonp/ ### Impact OMERO.web before 5.25.0 ### Patches Users should upgrade to 5.26.0 or higher ### Workarounds None ### References * https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call * https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names For more information If you have any questions or comments about this advisory: Open an issue in [omero-web](https://github.com/ome/omero-web) Email us a...

ghsa
#web#js#git#java
GHSA-qm5v-pj64-852j: Passbolt Api Tabnabbing when opening URI with menu "Open URI in a new tab"

### Description A user could create and share a resource with a malicious URI. When the victim opens with menu “Open URI in a new tab” function, the malicious page has access to the window.opener object. ### Impact of issue The newly opened malicious page can for example change the window.opener.location to redirect the user to a phishing page, or call a JavaScript function served by the AppJS on the user behalf for example to try to affect the integrity of the data. ### Fix The code that opens a new window via window.open(); now open the tab with the noopener attribute.

GHSA-qxqf-2mfx-x8jw: veraPDF has potential XSLT injection vulnerability when using policy files

### Impact Executing policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. ### Patches This has been patched and users should upgrade to veraPDF v1.24.2 ### Workarounds This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. ### References Original issue: <https://github.com/veraPDF/veraPDF-library/issues/1415>

Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware. "These campaigns typically involve a recognizable infection chain involving oversized JavaScript files that utilize WMI's ability to invoke msiexec.exe and install a remotely-hosted MSI

GHSA-6cj3-rc4p-f38f: Cross-site Scripting vulnerabilities in Neos

It has been discovered that Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access to the server itself, to an extent mainly limited by the server setup. ### Reflected Cross-Site Scripting (SXSS) with authentication A Neos backend user with permission to modify content can insert JavaScript instructions into content elements. The browser will execute the script in "Print" preview mode. A Neos backend user who can modify his profile information ("Title", "First Name", "Last name", "Middle Name", "Other Name") can inject JavaScript instructions in those parameters. Once set up, an administrator who wants to edit this user account will execute the code. Both attack vectors require a valid Neos backend user account. ### Reflected Cross-Site Scripting (RXSS) without authentica...

Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability

Google has rolled out fixes to address a set of nine security issues in its Chrome browser, including a new zero-day that has been exploited in the wild. Assigned the CVE identifier CVE-2024-4947, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Kaspersky researchers Vasily Berdnikov and Boris

GHSA-4cv2-xc5f-px8h: Denial of Service in extension "Code Highlight" (codehighlight)

The codehighlight extension bundles a vulnerable version of the 3rd party JavaScript component “prism” which is known to be vulnerable against Regular expression Denial of Service (ReDoS).

GHSA-65xh-hh78-6454: Denial of Service in extension "Code Highlight" (codehighlight)

The codehighlight extension bundles a vulnerable version of the 3rd party JavaScript component “prism” which is known to be vulnerable against Regular expression Denial of Service (ReDoS).

GHSA-xjwx-78x7-q6jc: TYPO3 vulnerable to an HTML Injection in the History Module

### Problem The history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 version 13.1.1 that fixes the problem described. ### Credits Thanks to TYPO3 core team member Andreas Kienast who reported this issue and to TYPO3 core & security team Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-007](https://typo3.org/security/advisory/typo3-core-sa-2024-007)