Security News

Malwarebytes security researchers have identified a new campaign in which tech support scammers are exploiting a cross-site scripting vulnerability and are relying exclusively on links posted on Facebook to reach potential victims. This, they say, suggests that the tech support scammers were regularly changing these links to avoid blacklisting.

Several information disclosure and cross-site scripting vulnerabilities, including one rated critical, have been patched this week in the Drupal content management system. The most serious of the flaws is CVE-2020-13668, a critical XSS issue affecting Drupal 8 and 9.

The latest Drupal updates patch cross-site scripting and open redirect vulnerabilities, but they have only been assigned "Moderately critical" severity ratings. Drupal 7.70 fixes an open redirect vulnerability related to "Insufficient validation of the destination query parameter in the drupal goto() function." An attacker can exploit the flaw to redirect users to an arbitrary URL by getting them to click on a specially crafted link, Drupal said in its advisory.

The developers of the Drupal content management system announced on Wednesday that updates for versions 8.8.x and 8.7.x address a couple of vulnerabilities affecting the CKEditor library. Drupal uses CKEditor and it has decided to update it to version 4.14, which patches two cross-site scripting vulnerabilities affecting earlier versions of the library.

Thousands of active WordPress plugins have been hit with a swathe of cross-site scripting vulnerabilities that could give attackers complete control of sites. Researchers at NinTechNet found a vulnerability in the WordPress Flexible Checkout Fields for WooCommerce plugin, which enhances the popular WordPress ecommerce system with the ability to configure custom checkout fields using a simple user interface.

The GDPR Cookie Consent plugin, created by WebToffee, claims over 700,000 users. While the GDPR Cookie Consent plugin asks you if you'd mind accepting cookies, it doesn't ask you if you'd like a dollop of XSS with them too.

Successful exploitation allows attackers to steal potentially sensitive information, change appearance of the web page, and perform phishing, spoofing and drive-by-download attacks.

A researcher has earned $5,000 from Google for an interesting cross-site scripting (XSS) vulnerability found in the dynamic email feature added a few months ago to Gmail. read more

The bug was fixed at least a month ago so users receiving dynamic email content have one less thing to worry about.

The issue in the Rich Reviews plugin is being actively exploited.