Security News

A critical cross site scripting vulnerability in popular open source email collaboration suite Zimbra is being exploited by attackers. Clément Lecigne of Google Threat Analysis Group discovered and reported this vulnerability.

Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks. The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide.

Cisco disclosed today a zero-day vulnerability in the company's Prime Collaboration Deployment software that can be exploited for cross-site scripting attacks. Tracked as CVE-2023-20060, the bug was found in the web-based management interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre.

There is a live cross-site scripting vulnerability in takedowns website DMCA-dot-com's user interface. Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

The WordPress development team released version 5.8.3, a short-cycle security release that addresses four vulnerabilities, three of which are rated of high importance. The set includes an SQL injection on WP Query, a blind SQL injection via the WP Meta Query, an XSS attack via the post slugs, and an admin object injection.

The plugin "Variation Swatches for WooCommerce," installed across 80,000 WordPress-powered retail sites, contains a stored cross-site scripting security vulnerability that could allow cyberattackers to inject malicious web scripts and take over sites. Giving low-permissioned users access to the "Tawcvs save settings" function is particularly concerning, she said, because that access can be used to update the plugin's settings and inject malicious web scripts that would execute whenever a site owner accessed the settings area of the plugin.

Canopy, a parental control app that offers a range of features meant to protect kids online via content inspection, is vulnerable to a variety of cross-site scripting attacks, according to researchers. The attacks could range from a sneaky kid disabling the monitoring to a much more serious third-party attack delivering malware to parental users.

A clever UPS phishing campaign utilized an XSS vulnerability in UPS.com to push fake and malicious 'Invoice' Word documents. The phishing scam was first discovered by security research Daniel Gallagher and pretended to be an email from UPS stating that a package had an "Exception" and needs to be picked up by the customer.

A stored cross-site scripting vulnerability in the SEOPress WordPress plugin could allow attackers to inject arbitrary web scripts into websites, researchers said. In July six critical flaws were disclosed that affected the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites.

A cross-site scripting vulnerability patched last year in Cisco's Adaptive Security Appliance and Firepower Threat Defense software has reportedly been exploited in the wild. Reports of in-the-wild exploitation emerged shortly after cybersecurity firm Positive Technologies released a proof-of-concept exploit for the vulnerability tracked as CVE-2020-3580.