#web

An unknown adversary compromised a CISA app containing the data via a vulnerability in the Ivanti Connect Secure appliance this January.

Faronics WINSelect versions prior to 8.30.xx.903 suffer from having hardcoded credentials, storing unhashed passwords, and configuration file modification vulnerabilities.

### Impact In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser _may_ execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a different authenticated user downloads the malicious file. CORS and CSRF protection built into DSpace help to limit the impact of the attack (and may block it in some scenarios). If the repository is configured to only download HTML / XML / JavaScript Bitstreams using the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header, then the attack is no longer possible. See "Workarounds" below. ### Patches The fix is included in both 8.0 and 7.6.2. Please upgrade to one of t...

Injected malicious JavaScript code gives attackers administrator rights on websites, and fills sites with SEO spam.

Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Low attack complexity Vendor: ABB Equipment: 800xA Base Vulnerabilities: Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause services to crash and restart. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ABB reports that the vulnerability only affects 800xA services in PC based client/server nodes. Controllers are not affected by this vulnerability: ABB 800xA Base: versions 6.1.1-2 and prior 3.2 Vulnerability Overview 3.2.1 Improper Input Validation CWE-20 An attacker who successfully exploited this vulnerability could cause services to crash and restart by sending specifically crafted messages. CVE-2024-3036 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2024-3036. A base score of 6.9 has been calculated; the CVSS vector string...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: PTC Equipment: Creo Elements/Direct License Server Vulnerability: Missing Authorization 2. RISK EVALUATION Successful exploitation of this vulnerability could allow unauthenticated remote attackers to execute arbitrary OS commands. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS PTC reports that the following versions of Creo Elements/Direct License Server are affected; note that this vulnerability does not impact "Creo License server": Creo Elements/Direct License Server: Version 20.7.0.0 and prior 3.2 Vulnerability Overview 3.2.1 Missing Authorization CWE-122 Creo Elements Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server. CVE-2024-6071 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H...

The most notorious deepfake sexual abuse website is hosting altered videos originally published as part of the GirlsDoPorn operation. Experts say this new low is only the beginning.

Browser security is becoming increasingly popular, as organizations understand the need to protect at the point of risk - the browser. Network and endpoint solutions are limited in their ability to protect from web-borne threats like phishing websites or malicious browser extensions. They also do not protect from internal data exfiltration, like employees pasting sensitive data to ChatGPT. As it

A previously undocumented threat actor dubbed Boolka has been observed compromising websites with malicious scripts to deliver a modular trojan codenamed BMANAGER. "The threat actor behind this campaign has been carrying out opportunistic SQL injection attacks against websites in various countries since at least 2022," Group-IB researchers Rustam Mirkasymov and Martijn van den Berk said in a