#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

Cross-site Scripting | Breaking Cybersecurity News | The Hacker News

Category — Cross-site Scripting
Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

Mar 08, 2023 Open Source / Automation Tool
A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked as  CVE-2023-27898  and  CVE-2023-27905 , impact the Jenkins server and Update Center, and have been collectively christened  CorePlague  by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable. "Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server," the company said in a report shared with The Hacker News. The shortcomings are the result of how Jenkins processes plugins available from the  Update Center , thereby potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. "Once the victim opens the ' Availabl...
Important Flaw in Outlook App for Android Affects Over 100 Millions Users

Important Flaw in Outlook App for Android Affects Over 100 Millions Users

Jun 20, 2019
Update (22 June 2019)  — More technical details and proof-of-concept for the OutLook for Android vulnerability has been released that we have covered in a separate article here. Microsoft today released an updated version of its "Outlook for Android" that patches an important security vulnerability in the popular email app that is currently being used over 100 million users. According to an advisory , Outlook app with versions before 3.0.88 for Android contains a stored cross-site scripting vulnerability ( CVE-2019-1105 ) in the way the app parses incoming email messages. If exploited, remote attackers can execute malicious in-app client-side code on the targeted devices just by sending them emails with a specially crafted message. "The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user." According to Microsoft, the fl...
Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Jan 09, 2025AI Security / SaaS Security
As SaaS providers race to integrate AI into their product offerings to stay competitive and relevant, a new challenge has emerged in the world of AI: shadow AI.  Shadow AI refers to the unauthorized use of AI tools and copilots at organizations. For example, a developer using ChatGPT to assist with writing code, a salesperson downloading an AI-powered meeting transcription tool, or a customer support person using Agentic AI to automate tasks – without going through the proper channels. When these tools are used without IT or the Security team's knowledge, they often lack sufficient security controls, putting company data at risk. Shadow AI Detection Challenges Because shadow AI tools often embed themselves in approved business applications via AI assistants, copilots, and agents they are even more tricky to discover than traditional shadow IT. While traditional shadow apps can be identified through network monitoring methodologies that scan for unauthorized connections based on...
5 Popular Web Hosting Services Found Vulnerable to Multiple Flaws

5 Popular Web Hosting Services Found Vulnerable to Multiple Flaws

Jan 16, 2019
A security researcher has discovered multiple one-click client-side vulnerabilities in the some of the world's most popular and widely-used web hosting companies that could have put millions of their customers as well as billions of their sites' visitors at risk of hacking. Independent researcher and bug-hunter Paulos Yibelo, who shared his new research with The Hacker News, discovered roughly a dozen serious security vulnerabilities in Bluehost, Dreamhost, HostGator, OVH, and iPage, which amounts to roughly seven million domains. Some of the vulnerabilities are so simple to execute as they require attackers to trick victims into clicking on a simple link or visiting a malicious website to easily take over the accounts of anyone using the affected web hosting providers. Critical Flaws Reported in Popular Web Hosting Services Yibelo tested all the below-listed vulnerabilities on all five web hosting platforms and found several account takeover, cross-scripting, and in...
cyber security

Secure Your Azure: Proactive Tips for Cloud Protection

websiteWizCloud Security
Discover how to boost your Azure cloud security with practical steps to help you maintain control and visibility.
Hacker reports Vulnerability in Mr. Robot Season 2 Website

Hacker reports Vulnerability in Mr. Robot Season 2 Website

May 12, 2016
Mr. Robot was the biggest 'Hacking Drama' television show of 2015 and its second season will return to American TV screens on Wednesday 13th of July 2016. However, the new promotional website for season two of Mr. Robot has recently patched a security flaw that could have easily allowed a hacker to target millions of fans of the show. A White Hat hacker going by the alias Zemnmez discovered a Cross-Site Scripting (XSS) vulnerability in Mr. Robot website on Tuesday, the same day Mr. Robot launched a promo for its second series. The second season of the television show had already received praise from both critics and viewers for its relatively accurate portrayal of cyber security and hacking, something other cyber crime movies and shows have failed at badly. The new series also features a surprising yet welcome guest: President Barack Obama , who is giving a speech about a cyber threat faced by the nation. The flaw Zemnmez discovered on the show's website coul...
Hacking WordPress Website with Just a Single Comment

Hacking WordPress Website with Just a Single Comment

Apr 28, 2015
Most of the time, we have reported about WordPress vulnerabilities involving vulnerable plugins, but this time a Finnish security researcher has discovered a critical zero-day vulnerability in the core engine of the WordPress content management system. Yes, you heard it right. The WordPress CMS used by Millions of website is vulnerable to a zero-day flaw that could allow hackers to remote code execution on the Web server in order to take full control of it. The vulnerability, found by Jouko Pynnönen of Finland-based security firm Klikki Oy, is a Cross-Site Scripting (XSS) flaw buried deep into the WordPress' comments system. The vulnerability affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest WordPress version 4.2. Pynnönen disclosed the details of the zero-day flaw, along with a video and a proof-of-concept code for an exploit of the bug, on his blog post on Sunday before the WordPress team could manage to release a patch. Why the researcher m...
Firing Range — Open Source Web App Vulnerability Scanning Tool From Google

Firing Range — Open Source Web App Vulnerability Scanning Tool From Google

Nov 20, 2014
Google on Tuesday launched a Security testing tool "Firing Range" , which aimed at improving the efficiency of automated Web application security scanners by evaluating them with a wide range of cross-site scripting (XSS) and a few other web vulnerabilities seen in the wild. Firing Range basically provides a synthetic testing environment mostly for cross-site scripting (XSS) vulnerabilities that are seen most frequently in web apps. According to Google security engineer Claudio Criscione, 70 percent of the bugs in Google's Vulnerability Reward Program are cross-site scripting flaws . In addition to XSS vulnerabilities , the new web app scanner also scans for other types of vulnerabilities including reverse clickjacking , Flash injection , mixed content, and cross-origin resource sharing vulnerabilities. Firing Range was developed by Google with the help of security researchers at Politecnico di Milano in an effort to build a test ground for automated scanners...
Adobe Releases Critical Security Updates for Acrobat and Reader

Adobe Releases Critical Security Updates for Acrobat and Reader

Sep 18, 2014
After a week delay, Adobe has finally pushed out critical security updates for its frequently-attacked Reader and Acrobat PDF software packages to patch serious vulnerabilities that could lead to computers being compromised. The new versions of Adobe Reader and Acrobat released Tuesday for both Windows and Macintosh computers address eight vulnerabilities, five of which could allow for remote code execution . The remaining three vulnerabilities involve a sandbox bypass vulnerability that can be exploited to escalate an attacker's privileges on Windows, a denial-of-service (DoS) vulnerability related to memory corruption, and a cross-site scripting (XSS) flaw that only affects the programs on the Mac platform. According to Adobe's advisory , applying the patches will involve a system restart. The affected versions are: Adobe Reader XI (11.0.08) and earlier 11.x versions for Windows Adobe Reader XI (11.0.07) and earlier 11.x versions for Macintosh Adobe Reade...
Facebook Self-XSS Scam Fools Users into Hacking Themselves

Facebook Self-XSS Scam Fools Users into Hacking Themselves

Jul 29, 2014
Scammers have again targeted more than one billion active users of the popular social networking giant Facebook, to infect as many victims as possible. Not by serving fake post, neither by providing malicious video link, instead this time scammers have used a new way of tricking Facebook users into injecting or placing malicious JavaScript or client-side code into their web browsers. This malicious code could allow an attacker to gain access to victims' accounts, thereby using it for fraud, to send spams, and promoting further attacks by posting the scam on timeline to victims' friends. This technique is known as Self Cross-site Scripting or Self XSS. Self-XSS (Self Cross-Site Scripting) scam is a combination of social engineering and a browser vulnerability , basically designed to trick Facebook users' into providing access to their account. Once an attacker or scammer gets access to users' Facebook account, they can even post and comment on things on users' behalf. ...
Expert Insights / Articles Videos
Cybersecurity Resources