#xss

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices […]

Helper is an enumerator written in PHP that helps identify directories on webservers that could be targets for things like cross site scripting, local file inclusion, remote shell upload, and remote SQL injection vulnerabilities.

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. Russian cybersecurity company Positive Technologies said it discovered last month that an email was sent to an unspecified governmental organization located in one of the Commonwealth of

IBM Security Verify Access versions 10.0.0 through 10.0.8 suffer from an OAUTH related open redirection vulnerability.

SofaWiki version 3.9.2 suffers from a reflective cross site scripting vulnerability.

SofaWiki version 3.9.2 suffers from a persistent cross site scripting vulnerability.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: LCDS - Leão Consultoria e Desenvolvimento de Sistemas Ltda ME Equipment: LAquis SCADA Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to steal cookies, inject arbitrary code, or perform unauthorized actions. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of LAquis SCADA, an HMI program, are affected: LAquis SCADA: Version 4.7.1.511 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 In LAquis SCADA version 4.7.1.511, a cross-site scripting vulnerability could allow an attacker to inject arbitrary code into a web page. This could allow an attacker to steal cookies, redirect users, or perform unauthorized actions. CVE-2024-9414 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Elvaco Equipment: M-Bus Metering Gateway CMe3100 Vulnerabilities: Missing Authentication for Critical Function, Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Insufficiently Protected Credentials. 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, impersonate and send false information, or bypass authentication. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Elvaco CMe3100, a metering gateway are affected: CMe3100: Version 1.12. 1 3.2 Vulnerability Overview 3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS (CWE-522) The affected product is vulnerable due to insufficiently protected credentials, which may allow an attacker to impersonate Elvaco and send false information. CVE-2024-49396 has been assigned to t...

Brazilian police have arrested the hacker known as USDoD, responsible for high-profile breaches including the FBI’s InfraGard and…

October Linux Patch Wednesday. There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel. 5 vulnerabilities with signs of exploitation in the wild: 🔻 Remote Code Execution – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks🔻 Remote Code Execution – Mozilla Firefox (CVE-2024-9680) […]