#web

The ABB BMS/BAS controller suffers from a weak password policy, allowing users to set overly simplistic or blank passwords and usernames without restrictions. This vulnerability significantly reduces account security, enabling attackers to exploit weak credentials for unauthorized access to the system.

The ABB BMS/BAS controller suffers from an SQL injection through the key and user parameters. These inputs are not properly sanitized and do not utilize stored procedures, allowing attackers to manipulate SQL queries and potentially gain unauthorized access to the database or execute arbitrary SQL commands.

The application suffers from cleartext transmission and storage of sensitive information in a Cookie. This includes the globals parameter, where authdata contains base64-encoded credentials. A remote attacker can intercept the HTTP Cookie, including authentication credentials, through a man-in-the-middle attack, potentially compromising user accounts and sensitive data.

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameters 'name' and 'id' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

The ABB Cylon Aspect BMS/BAS controller contains multiple instances of hard-coded credentials, including usernames, passwords, and encryption keys embedded in various java classes. This practice poses significant security risks, allowing attackers to gain unauthorized access and compromise the system's integrity.

### Summary When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Deno's`fetch()` redirect handling creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain. ### Details The [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario. The same is generally applied to `Cookie` and `Proxy-Authorization` headers, and is done for not only host changes, but also protocol/port changes. Generally referred to as "origin". The [documentation](https://docs.deno.com/runtime/reference/web_platform_apis/#:~:text=Deno%20does%20not%20follow%20the,leaking%20authenticated%20data%20cross%20origin.) states: > Deno does not follow the same-origin policy, because the Deno user agent currently does not have the concept of origins, and it does not have a cook...

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.

A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

A fake Telegram Premium app delivers information-stealing malware, in a prime example of the rising threat of adversaries leveraging everyday applications, researchers say.