Tag
#git
### Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. ### Details Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules: https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 - If the string is an attribute value: - `"` -> `"` - `&` -> `&` - Other characters -> No conversion - Otherwise: - `<` -> `<` - `>` -> `>` - `&` -> `&` - Other characters -> No conversion It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). ## PoC A vulnerable component: ```javascript import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city"; export default component$(() => { // user input cons...
As digital threats against US water, food, health care, and other vital sectors loom large, a new project called UnDisruptable27 aims to help fix cybersecurity weaknesses where other efforts have failed.
At least two Russian nationals serving prison sentences for cybercrime offenses, Vladislav Klyushin and Roman Seleznev, were released as part of the landmark prisoner swap.
The RaaS group that distributes Hive ransomware delivers new malware impersonating as validly signed network-administration software to gain initial access and persistence on targeted networks
INTERPOL said it devised a "global stop-payment mechanism" that helped facilitate the largest-ever recovery of funds defrauded in a business email compromise (BEC) scam. The development comes after an unnamed commodity firm based in Singapore fell victim to a BEC scam in mid-July 2024. It refers to a type of cybercrime where a malicious actor poses as a trusted figure and uses email to
A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.
Microweber version 1.0 suffers from a cross site scripting vulnerability in the search functionality. Original discovery of cross site scripting in this version is attributed to tmrswrr in June of 2024.
Men face more pressure—and threats—from significant others to grant access to their personal devices, online accounts, and locations.
Everyone loves the double-agent plot twist in a spy movie, but it’s a different story when it comes to securing company data. Whether intentional or unintentional, insider threats are a legitimate concern. According to CSA research, 26% of companies who reported a SaaS security incident were struck by an insider. The challenge for many is detecting those threats before they lead to full
The North Korea-linked threat actor known as Moonstone Sleet has continued to push malicious npm packages to the JavaScript package registry with the aim of infecting Windows systems, underscoring the persistent nature of their campaigns. The packages in question, harthat-api and harthat-hash, were published on July 7, 2024, according to Datadog Security Labs. Both the libraries did not attract