Security News

A clever UPS phishing campaign utilized an XSS vulnerability in UPS.com to push fake and malicious 'Invoice' Word documents. The phishing scam was first discovered by security research Daniel Gallagher and pretended to be an email from UPS stating that a package had an "Exception" and needs to be picked up by the customer.

A stored cross-site scripting vulnerability in the SEOPress WordPress plugin could allow attackers to inject arbitrary web scripts into websites, researchers said. In July six critical flaws were disclosed that affected the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites.

A cross-site scripting vulnerability patched last year in Cisco's Adaptive Security Appliance and Firepower Threat Defense software has reportedly been exploited in the wild. Reports of in-the-wild exploitation emerged shortly after cybersecurity firm Positive Technologies released a proof-of-concept exploit for the vulnerability tracked as CVE-2020-3580.

Malicious scripts for reflected XSS attacks don't exist on your web application or site forever. Years ago, XSS vulnerabilities were mostly present in web application "Surface" inputs, such as in the type of form fields where sites may ask visitors to enter their names, email addresses, credit card info, or ZIP code.

An easy-to-exploit bug impacting the WordPress plugin ReDi Restaurant Reservation allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information by simply submitting a malicious snippet of JavaScript code into the reservation comment field. The bug affects ReDi Restaurant Reservation versions prior to 21.0307, with a patched version of the plugin available for download. The vulnerability is a persistent cross-site scripting bug.

For a ransomware gang whose servers were purportedly commandeered last week, DarkSide has had a server-fueled weekend, with a reported hit on Toshiba Business. Late on Thursday night came a post to the "Exploit" underground forum that looked, at least, to be from DarkSide.

One of the most popular Russian-speaking hacker forums, XSS, has banned all topics promoting ransomware to prevent unwanted attention. XSS is a Russian-speaking hacking forum created to share knowledge about exploits, vulnerabilities, malware, and network penetration.

A bug bounty hunter claims he has earned a $5,000 reward from Apple for reporting a stored cross-site scripting vulnerability on iCloud.com. Vishal Bharad, a researcher and penetration tester from India, published a blog post earlier this week describing his findings.

An undisclosed Cross-Site Scripting vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA and NOAA. Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project. Govt sites using Apache Velocity Tools vulnerable to XSS. Apache Velocity Tools has an undisclosed XSS vulnerability, which impacts all its versions despite a fix having been published on GitHub months ago.

A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities - including one remote code execution flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Watchcom added: "The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities."