Security News

Malicious scripts for reflected XSS attacks don't exist on your web application or site forever. Years ago, XSS vulnerabilities were mostly present in web application "Surface" inputs, such as in the type of form fields where sites may ask visitors to enter their names, email addresses, credit card info, or ZIP code.

An easy-to-exploit bug impacting the WordPress plugin ReDi Restaurant Reservation allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information by simply submitting a malicious snippet of JavaScript code into the reservation comment field. The bug affects ReDi Restaurant Reservation versions prior to 21.0307, with a patched version of the plugin available for download. The vulnerability is a persistent cross-site scripting bug.

For a ransomware gang whose servers were purportedly commandeered last week, DarkSide has had a server-fueled weekend, with a reported hit on Toshiba Business. Late on Thursday night came a post to the "Exploit" underground forum that looked, at least, to be from DarkSide.

One of the most popular Russian-speaking hacker forums, XSS, has banned all topics promoting ransomware to prevent unwanted attention. XSS is a Russian-speaking hacking forum created to share knowledge about exploits, vulnerabilities, malware, and network penetration.

A bug bounty hunter claims he has earned a $5,000 reward from Apple for reporting a stored cross-site scripting vulnerability on iCloud.com. Vishal Bharad, a researcher and penetration tester from India, published a blog post earlier this week describing his findings.

An undisclosed Cross-Site Scripting vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA and NOAA. Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project. Govt sites using Apache Velocity Tools vulnerable to XSS. Apache Velocity Tools has an undisclosed XSS vulnerability, which impacts all its versions despite a fix having been published on GitHub months ago.

A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities - including one remote code execution flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Watchcom added: "The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities."

"> LTD. Its name didn't contain the square brackets, meaning anyone reading company names off the Companies House API would potentially run a script from the web address above. Although whoever registered the company seems to have had non-hostile intentions - xss.

In a report published this week, HackerOne reveals that XSS flaws accounted for 18% of all reported issues, and that the bounties companies paid for these bugs went up 26% from last year, reaching $4.2 million. The second most awarded vulnerability type in 2020, HackerOne says, is Improper Access Control, which saw a 134% increase in occurrence compared to 2019, with a total of $4 million paid by companies in bug bounty rewards.

Browser lockers are a type of redirection attack where web surfers will click on a site, only to be sent to a page warning them that their computer is infected with "a virus" or malware. In a recent, widespread campaign, cyberattackers are using Facebook to distribute malicious links that ultimately redirect to a browser locker page, according to researchers.