Recent changes to bugs

Multiple input of "C+SEMICOLON"

Yuta Suzuki — Sat, 11 Apr 2026 02:51:34 -0000

Somehow jEdit understands a single stroke of "C+SEMICOLON" as three copies of it.
(The key "C" is the command key of mac.)

Steps to Reproduce:

Launch jEdit
From Menu bar, open jEdit > Preferences...
Open the Shortcuts tab
Take any command (e.g. Add Prefix and Suffix) and try to set the short cut to C+SEMICOLON
Then, "C+SEMICOLON C+SEMICOLON C+SEMICOLON" is registered instead of single "C+SEMICOLON".

Side note:
(1) It seems that even in the text area, the stroke "C+SEMICOLON" seems to be understood as "C+SEMICOLON C+SEMICOLON C+SEMICOLON".
(2) With Karabiner-Elements and other key event viewer, I checked the stroke "C+SEMICOLON" is recognized only once for other application.

jEdit version: 5.7.0
Platform: MacOS (15.7.4（24G517）) with Intel chip
Java version: 25.0.1

jEdit 5.7: Bug in Save-Dialog

Gilward Kukel — Thu, 23 Oct 2025 05:26:00 -0000

jEdit 5.7.0
Java 15.0.2
Windows 10

Steps:

make file ab.txt
make new file
do "save"
in the save-dialog:
- click on the file ab.txt
- change the text in the file name field from ab.txt to a.txt
- click "save"

jEdit asks if you want to overwrite ab.txt instead of saving the new file to a.txt.

#4147 Found Vulnerability:- IDOR (Insecure Direct Object Reference)

Eric Le Lay — Wed, 17 Sep 2025 12:28:03 -0000

status: open-invalid --> closed-invalid

#4147 Found Vulnerability:- IDOR (Insecure Direct Object Reference)

kunal waidande — Tue, 16 Sep 2025 13:57:18 -0000

*Before re-testing it first Login your account then only you will see response 200 ok:-

In 6th point after modifying the account id from request you will see that response is ok in repeater, it must not happen. If somone modify the account id it must show error code. I have also send the PDF report with POC.

#4147 Found Vulnerability:- IDOR (Insecure Direct Object Reference)

Eric Le Lay — Mon, 15 Sep 2025 18:54:49 -0000

I see you already created https://sourceforge.net/p/forge/site-support/27035/

#4147 Found Vulnerability:- IDOR (Insecure Direct Object Reference)

Eric Le Lay — Mon, 15 Sep 2025 18:53:47 -0000

Group: severe bug --> UNUSED

#4147 Found Vulnerability:- IDOR (Insecure Direct Object Reference)

Eric Le Lay — Mon, 15 Sep 2025 18:53:27 -0000

status: open --> open-invalid

Found Vulnerability:- IDOR (Insecure Direct Object Reference)

kunal waidande — Thu, 11 Sep 2025 20:58:46 -0000

The following API endpoint allows an attacker to change account-id in the query string and receive a valid response tied to that account.

Vulnerable endpoint: GET /a/api/fastlane.json?account_id=15680&site_id=103240

How to perform:
1- Go to website (https://www.jedit.org)
2- In home page on right side you will see sourceForge Project option.
3- Open burpsuit and on the intercept and in browser click on sourceForge Project option.
4- Forward the first and second request and then you will see bunch of requests in that request.
5- You that requests you will see (https://fastlane.rubiconproject.com).
6- Send it to repeater and change the account id.
7- You will see that response is 200 OK .

Please find attached PDF report in that, I have created all the manually tested proof report.

Found Vulnerability:- IDOR (Insecure Direct Object Reference)

kunal waidande — Thu, 11 Sep 2025 20:58:46 -0000

Ticket 4147 has been modified: Found Vulnerability:- IDOR (Insecure Direct Object Reference)
Edited By: Eric Le Lay (kerik-sf)
Status updated: 'open' => 'open-invalid'

Found Vulnerability:- IDOR (Insecure Direct Object Reference)

kunal waidande — Thu, 11 Sep 2025 20:58:46 -0000

Ticket 4147 has been modified: Found Vulnerability:- IDOR (Insecure Direct Object Reference)
Edited By: Eric Le Lay (kerik-sf)
_milestone updated: 'severe bug' => 'UNUSED'