#vulnerability

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** The attacker must have permissions to access the target's System directory to plant the malicious folder that would be used as part of the exploitation.

While still under development, the malware contains Turkish-language filenames, can record the screen and keystrokes, and inject custom overlays to steal passwords and sensitive data.

Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

### Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. ### Details Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules: https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 - If the string is an attribute value: - `"` -> `&quot;` - `&` -> `&amp;` - Other characters -> No conversion - Otherwise: - `<` -> `&lt;` - `>` -> `&gt;` - `&` -> `&amp;` - Other characters -> No conversion It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). ## PoC A vulnerable component: ```javascript import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city"; export default component$(() => { // user input cons...

At least two Russian nationals serving prison sentences for cybercrime offenses, Vladislav Klyushin and Roman Seleznev, were released as part of the landmark prisoner swap.

A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.

Korenix JetPort Series version 1.2 suffers from insufficient authentication, command injection, and plaintext communication vulnerabilities.

Google has issued security updates for 46 vulnerabilities, including a patch for a remote code execution flaw which has been used in limited targeted attacks.

Microweber version 1.0 suffers from a cross site scripting vulnerability in the search functionality. Original discovery of cross site scripting in this version is attributed to tmrswrr in June of 2024.

Gentoo Linux Security Advisory 202408-2 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution. Versions greater than or equal to 115.12.0:esr are affected.