Security
Headlines
HeadlinesLatestCVEs

Tag

#firefox

CSZ CMS 1.3.0 Remote Command Execution

CSZ CMS version 1.3.0 suffers from a remote command execution vulnerability. Exploit written in Python.

Packet Storm
Open in Source
#vulnerability#web#mac#windows#linux#git#php#rce#xpath#auth#firefox
Ubuntu Security Notice USN-6509-1

Ubuntu Security Notice 6509-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. It was discovered that Firefox did not properly manage memory when images were created on the canvas element. An attacker could potentially exploit this issue to obtain sensitive information.

Google’s Ad Blocker Crackdown Is Growing

Plus: North Korean supply chain attacks, a Russian USB worm spreads internationally, and more.

GHSA-v4v2-8h88-65qj: Attribute Injection leading to XSS(Cross-Site-Scripting)

### Summary Google Analytics element Attribute Injection leading to XSS ### Details Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability here, which can lead to XSS attacks. ![image](https://user-images.githubusercontent.com/110759348/282278047-667b774b-421f-449a-8f95-3f3906ae4216.png) ### PoC 1. Run the latest version of the louislam/uptime-kuma container and initialize the account password. 2. Create a new status page. 3. Edit the status page and change the Google Analytics ID to following payload(it only works for firefox. Any attribute can be injected, but this seems the most intuitive): ``` 123123" onafterscriptexecute=alert(window.name+1),eval(window.name) a="x ``` 4. Click Save and return to the interface. XSS occurs. screenshots: ![image](https://user-images.githubusercontent.com/110759348/282287393-4874974f-9416-4941-9c2e-a92ee2412197.png) ![9d0603e634fb7da2e83a0a...

Chrome pushes forward with plans to limit ad blockers in the future

Google has set a date for the introduction of Manifest V3 which will hurt the capabilities of many ad blockers.

Malwarebytes consumer product roundup: The latest

Here are the innovations we’ve made in our products recently. Are you making the most of them?

CVE-2023-47643: Unauthenticated Graphql Introspection Enabled

SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.

CVE-2023-6212: Bug List

Memory safety bugs present in Firefox 119, Firefox 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox < 115.5, and Thunderbird < 115.5.0.

CVE-2023-6206: Invalid Bug ID

The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox < 115.5, and Thunderbird < 115.5.0.