Security News

CVE-2023-43770, a vulnerability in the Roundcube webmail software that has been fixed in September 2023, is being exploited by attackers in the wild, CISA has warned by adding the vulnerability to its Known Exploited Vulnerabilities catalog. CVE-2023-43770 is a vulnerability that allows attackers to mount cross-site scripting attacks through specially crafted links in plain text email messages.

A threat group named 'ResumeLooters' has stolen the personal data of over two million job seekers after compromising 65 legitimate job listing and retail sites using SQL injection and cross-site scripting attacks. ResumeLooters primarily employs SQL injection and XSS to breach targeted sites, mainly job-seeking and retail shops.

Two weeks after the initial disclosure, Zimbra has released security updates that patch a zero-day vulnerability exploited in attacks targeting Zimbra Collaboration Suite (ZCS) email servers. [...]

A critical cross site scripting vulnerability in popular open source email collaboration suite Zimbra is being exploited by attackers. Clément Lecigne of Google Threat Analysis Group discovered and reported this vulnerability.

Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks. The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide.

Cisco disclosed today a zero-day vulnerability in the company's Prime Collaboration Deployment software that can be exploited for cross-site scripting attacks. Tracked as CVE-2023-20060, the bug was found in the web-based management interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre.

There is a live cross-site scripting vulnerability in takedowns website DMCA-dot-com's user interface. Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

The WordPress development team released version 5.8.3, a short-cycle security release that addresses four vulnerabilities, three of which are rated of high importance. The set includes an SQL injection on WP Query, a blind SQL injection via the WP Meta Query, an XSS attack via the post slugs, and an admin object injection.

The plugin "Variation Swatches for WooCommerce," installed across 80,000 WordPress-powered retail sites, contains a stored cross-site scripting security vulnerability that could allow cyberattackers to inject malicious web scripts and take over sites. Giving low-permissioned users access to the "Tawcvs save settings" function is particularly concerning, she said, because that access can be used to update the plugin's settings and inject malicious web scripts that would execute whenever a site owner accessed the settings area of the plugin.

Canopy, a parental control app that offers a range of features meant to protect kids online via content inspection, is vulnerable to a variety of cross-site scripting attacks, according to researchers. The attacks could range from a sneaky kid disabling the monitoring to a much more serious third-party attack delivering malware to parental users.