Security News

Joomla fixes XSS flaws that could expose sites to RCE attacks
2024-02-21 22:55

Five vulnerabilities have been discovered in the Joomla content management system that could be leveraged to execute arbitrary code on vulnerable websites. The vendor has addressed the security issues, which impact multiple versions of Joomla, and fixes are present in versions 5.0.3 and also 4.4.3 of the CMS. Joomla's advisory notes that CVE-2024-21725 is the vulnerability with the highest severity risk and has a high exploitation probability.

Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770)
2024-02-13 09:36

CVE-2023-43770, a vulnerability in the Roundcube webmail software that has been fixed in September 2023, is being exploited by attackers in the wild, CISA has warned by adding the vulnerability to its Known Exploited Vulnerabilities catalog. CVE-2023-43770 is a vulnerability that allows attackers to mount cross-site scripting attacks through specially crafted links in plain text email messages.

Hackers steal data of 2 million in SQL injection, XSS attacks
2024-02-06 07:00

A threat group named 'ResumeLooters' has stolen the personal data of over two million job seekers after compromising 65 legitimate job listing and retail sites using SQL injection and cross-site scripting attacks. ResumeLooters primarily employs SQL injection and XSS to breach targeted sites, mainly job-seeking and retail shops.

Zimbra patches zero-day vulnerability exploited in XSS attacks
2023-07-27 18:57

Two weeks after the initial disclosure, Zimbra has released security updates that patch a zero-day vulnerability exploited in attacks targeting Zimbra Collaboration Suite (ZCS) email servers. [...]

Critical XSS vulnerability in Zimbra exploited in the wild (CVE-2023-34192)
2023-07-17 11:39

A critical cross site scripting vulnerability in popular open source email collaboration suite Zimbra is being exploited by attackers. Clément Lecigne of Google Threat Analysis Group discovered and reported this vulnerability.

WordPress custom field plugin bug exposes over 1M sites to XSS attacks
2023-05-05 14:57

Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks. The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide.

Cisco discloses XSS zero-day flaw in server management tool
2023-04-26 18:51

Cisco disclosed today a zero-day vulnerability in the company's Prime Collaboration Deployment software that can be exploited for cross-site scripting attacks. Tracked as CVE-2023-20060, the bug was found in the web-based management interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre.

DMCA-dot-com XSS vuln reported in 2020 still live today and firm has shrugged it off
2022-02-02 10:15

There is a live cross-site scripting vulnerability in takedowns website DMCA-dot-com's user interface. Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

WordPress 5.8.3 security update fixes SQL injection, XSS flaws
2022-01-10 15:28

The WordPress development team released version 5.8.3, a short-cycle security release that addresses four vulnerabilities, three of which are rated of high importance. The set includes an SQL injection on WP Query, a blind SQL injection via the WP Meta Query, an XSS attack via the post slugs, and an admin object injection.

80K Retail WooCommerce Sites Exposed by Plugin XSS Bug
2021-12-01 19:34

The plugin "Variation Swatches for WooCommerce," installed across 80,000 WordPress-powered retail sites, contains a stored cross-site scripting security vulnerability that could allow cyberattackers to inject malicious web scripts and take over sites. Giving low-permissioned users access to the "Tawcvs save settings" function is particularly concerning, she said, because that access can be used to update the plugin's settings and inject malicious web scripts that would execute whenever a site owner accessed the settings area of the plugin.