Security News

Phishing campaign uses UPS.com XSS vuln to distribute malware
2021-08-23 21:17

A clever UPS phishing campaign utilized an XSS vulnerability in UPS.com to push fake and malicious 'Invoice' Word documents. The phishing scam was first discovered by security research Daniel Gallagher and pretended to be an email from UPS stating that a package had an "Exception" and needs to be picked up by the customer.

XSS Bug in SEOPress WordPress Plugin Allows Site Takeover
2021-08-16 18:22

A stored cross-site scripting vulnerability in the SEOPress WordPress plugin could allow attackers to inject arbitrary web scripts into websites, researchers said. In July six critical flaws were disclosed that affected the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites.

XSS Vulnerability in Cisco Security Products Exploited in the Wild
2021-06-28 11:31

A cross-site scripting vulnerability patched last year in Cisco's Adaptive Security Appliance and Firepower Threat Defense software has reportedly been exploited in the wild. Reports of in-the-wild exploitation emerged shortly after cybersecurity firm Positive Technologies released a proof-of-concept exploit for the vulnerability tracked as CVE-2020-3580.

Why XSS is still an XXL issue in 2021
2021-06-15 05:00

Malicious scripts for reflected XSS attacks don't exist on your web application or site forever. Years ago, XSS vulnerabilities were mostly present in web application "Surface" inputs, such as in the type of form fields where sites may ask visitors to enter their names, email addresses, credit card info, or ZIP code.

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug
2021-05-24 19:33

An easy-to-exploit bug impacting the WordPress plugin ReDi Restaurant Reservation allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information by simply submitting a malicious snippet of JavaScript code into the reservation comment field. The bug affects ReDi Restaurant Reservation versions prior to 21.0307, with a patched version of the plugin available for download. The vulnerability is a persistent cross-site scripting bug.

DarkSide Hits Toshiba; XSS Forum Bans Ransomware
2021-05-17 16:23

For a ransomware gang whose servers were purportedly commandeered last week, DarkSide has had a server-fueled weekend, with a reported hit on Toshiba Business. Late on Thursday night came a post to the "Exploit" underground forum that looked, at least, to be from DarkSide.

Popular Russian hacking forum XSS bans all ransomware topics
2021-05-14 01:48

One of the most popular Russian-speaking hacker forums, XSS, has banned all topics promoting ransomware to prevent unwanted attention. XSS is a Russian-speaking hacking forum created to share knowledge about exploits, vulnerabilities, malware, and network penetration.

Stored XSS Vulnerability on iCloud.com Earned Researcher $5,000
2021-02-18 13:20

A bug bounty hunter claims he has earned a $5,000 reward from Apple for reporting a stored cross-site scripting vulnerability on iCloud.com. Vishal Bharad, a researcher and penetration tester from India, published a blog post earlier this week describing his findings.

Undisclosed Apache Velocity XSS vulnerability impacts GOV sites
2021-01-15 05:05

An undisclosed Cross-Site Scripting vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA and NOAA. Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project. Govt sites using Apache Velocity Tools vulnerable to XSS. Apache Velocity Tools has an undisclosed XSS vulnerability, which impacts all its versions despite a fix having been published on GitHub months ago.

The patch that wasn't: Cisco emits fresh fixes for NTLM hash-spilling vuln and XSS-RCE combo in Jabber app
2020-12-10 17:30

A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities - including one remote code execution flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Watchcom added: "The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities."