#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
SaaS Security

Search results for XSS | Breaking Cybersecurity News | The Hacker News

XSS Vulnerability discovered on Paypal

XSS Vulnerability discovered on Paypal

Mar 12, 2012
XSS Vulnerability discovered on Paypal Vansh and Vaibhuv two Indian Hacker found a XSS vulnerability in world famous site Paypal. Paypal is affected by an XSS vulnerability where it fails to validate input. One can add arbitrary javascript with no need for any filter evasion. This is a serious security issue, with potential implications that are only starting to be understood. However, it is critical to realize that this problem does not expose any way to break into the server itself. What it allows is for malicious attackers to potentially take control of the interaction between a user and a website. It is likely that the most serious thing that an attacker can potentially do in this situation is change how a page appears to a particular user. Also Read :  Kevin Mitnick's website open to Cross-Site Scripting ( XSS ) vulnerability
myOpenID XSS : One of the Largest OpenID provider is Vulnerable

myOpenID XSS : One of the Largest OpenID provider is Vulnerable

Nov 10, 2011
myOpenID XSS : One of the Largest OpenID provider is Vulnerable One of the One of the Largest Independent OpenID provider " myOpenID " is Vulnerable to Cross Site Scripting (XSS) ,Discovered by " SeeMe " - Member of Inj3ct0r Team. Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. What Hacker can do - "The attackers can steal the session ID of a valid user using XSS. The session ID is very valuable because it is the secret token that the user presents after login as proof of identity until logout. If the session ID is stored in a cookie, the attackers can write a script which will run on the user's browser, query the value in the cookie and send it to the attackers. The attackers can then use the valid session ID to browse the site without logging in. The script could also collect other information from the page, including the entire contents of the page". Proof Of Concept - Click Here
How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

Mar 21, 2024SaaS Security / Endpoint Security
In today's digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the  SaaS supply chain  snowball quickly. That's why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity. Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorte
New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now

New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now

Dec 15, 2023 Vulnerability / Software Security
Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances. The issues relate to two reflected cross-site scripting ( XSS ) bugs and one command injection flaw, according to new findings from Sonar. "Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks," security researcher Oskar Zeino-Mahmalat  said . "Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network." Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection. A brief description
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
55 New Security Flaws Reported in Apple Software and Services

55 New Security Flaws Reported in Apple Software and Services

Oct 09, 2020
A team of five security researchers analyzed several Apple online services for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity. The flaws — including 29 high severity, 13 medium severity, and 2 low severity vulnerabilities — could have allowed an attacker to "fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources." The flaws meant a bad actor could easily hijack a user's iCloud account and steal all the photos, calendar information, videos, and documents, in addition to forwarding the same exploit to all of their contacts. The findings were  reported by Sam Curry  along with Brett Buerhaus, Ben Sadeghipo
XSS Vulnerability On Twitter Found by 15 Years Old Expert

XSS Vulnerability On Twitter Found by 15 Years Old Expert

Dec 04, 2011
XSS Vulnerability On Twitter Found by 15 Years Old Expert A 15 years old XSS Expert " Belmin Vehabovic(~!White!~) " discovered XSS Vulnerability On Twitter and report us. The Vulnerable link is here . Even He also Discovered XSS Vulnerability in Facebook also as tweeted by him Yesterday  &Facebook is offering him $700 as Bounty.
Critical Flaws in Magento leave Millions of E-Commerce Sites at Risk

Critical Flaws in Magento leave Millions of E-Commerce Sites at Risk

Jan 27, 2016
If you are using Magento to run your e-commerce website, it's time for you to update the CMS ( content management system ) now. Millions of online merchants are at risk of hijacking attacks due to a number of critical cross-site scripting (XSS) vulnerabilities in the Magento, the most popular e-commerce platform owned by eBay. Why the Bugs are So Serious? Virtually all versions of Magento Community Edition 1.9.2.2 and earlier as well as Enterprise Edition 1.14.2.2 and earlier, are vulnerable to the Stored Cross-Site Scripting (XSS) flaws. The stored XSS flaws are awful as they allow attackers to: Effectively take over a Magento-based online store Escalate user privileges Siphon customers' data Steal credit card information Control the website via administrator accounts However, the good news is that the vulnerabilities are patched, and an update has been made available to the public after security firm Sucuri discovered and privately reported the v
XSS Vulnerability in Interactive YouTube API Demo Beta

XSS Vulnerability in Interactive YouTube API Demo Beta

Oct 23, 2011
XSS Vulnerability in Interactive YouTube API Demo Beta There is a Critical Cross site XSS Vulnerability in Interactive YouTube API Demo Beta, Discovered by various sources. One of the White Hat Hacker " Vansh Sharma " Inform us about this XSS Vulnerability with proof of concept. Proof Of Concept : Open  https://gdata.youtube.com/ Enter script <img src="<img src=search"/onerror=alert("xss")//"> in the keyword area. Press ADD
Cross Site Scripting Vulnerability at Google Appspot

Cross Site Scripting Vulnerability at Google Appspot

Aug 20, 2011
Cross Site Scripting Vulnerability at Google Appspot The Google Appspot " ClickDesk " login page is vulnerable to Cross Site Scripting attack. Cross Site scripting attack is a critical issue in web application. When an attacker gets a user's browser to execute his/her XSS code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read (keylogging), modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. The vulnerability can easily be amplified by publicly available tools like Cross Site Scripting framework (XSSF), Cross Site Scripting harvest perl (XSS-Harvest) and so on. Proof of concept: The following proof-of concept sample will do a HTTP POST to trigger the XSS vuln
Yahoo Mail hijacking exploit available for $700

Yahoo Mail hijacking exploit available for $700

Nov 27, 2012
An Egyptian hacker " TheHell " is selling an exploit in $700 that allows individuals to hijack a Yahoo! email account. The method is shown off in a video that was posted on YouTube. A cross-site scripting (XSS) flaw on Yahoo! Mail creates a means to steal cookies and hijack accounts. In order to work, the victim must click on a malcious link. Upon doing so, the user's cookies will be stolen and he or she will be redirected back to the Yahoo! email home page. " I'm selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers ," "TheHell" explained. " And you don't need to bypass IE or Chrome xss filter as it do that itself because it's stored xss ." Yahoo! has been notified and is looking for the security hole, which it says can be fixed in a few hours once discovered. They says this XSS flaw falls into the category of a stored vulnerability, which inserts malicious code into a file, database, or back-end system. The mali
XSS Vulnerability in Google Code site

XSS Vulnerability in Google Code site

Dec 08, 2011
XSS (Cross site Scripting )  Vulnerability discovered on Google Code website as shown. Claimed to be Discovered by  Vansh Sharma & Vaibhuv Sharma. Proof Of Concept: Just go to https://code.google.com/apis/ajax/playground/  and then click on edit HTML after that remove all the codes and type this script: < img src="< img src=search"/onerror=alert("XSS")//"> And click on DEBUG CODE , and then first it will show you " Sample must have <head> element " click OK and wait for the window to load if nothing happen then try the same thing again or simply you can click on RUN CODE, and you will get a popup which is XSS. Another Similar XSS posted by  +Pirate , as posted on HackForum Community.
20 Famous websites vulnerable to Cross Site Scripting (XSS) Attack

20 Famous websites vulnerable to Cross Site Scripting (XSS) Attack

Sep 06, 2011
20 Famous websites vulnerable to Cross Site Scripting (XSS) Attack Most of the biggest and Famous sites are found to be Vulnerable to XSS attack . Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued. Hacker with code name " Invectus " list some such famous sites with XSS vulnerability as listed below : 1.) https://video.state.gov/en/search/img-srchttp-i55tinypiccom-witu7dpng-height650-width1000/Ij48aW1nIHNyYz0iaHR0cD
Indian United Nations & Football Association website's XSS Vulnerabilities found by TriCk (TeaMp0isoN)

Indian United Nations & Football Association website's XSS Vulnerabilities found by TriCk (TeaMp0isoN)

Feb 26, 2011
Indian United Nations & Football Association website's XSS  Vulnerabilities found by TriCk (TeaMp0isoN) 1.) The FA (The Football Association) XSS Vulnerability - TriCk - TeaMp0isoN Link : Click Here 2.) Indian United Nations XSS Vulnerability - TriCk - TeaMp0isoN Link : Click Here News Source : TriCk - TeaMp0isoN | Via Email
Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server

Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server

Sep 29, 2023 Server Security / Vulnerability
Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface. Tracked as  CVE-2023-40044 , the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw. "In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system," the company  said  in an advisory. Assetnote security researchers Shubham Shah and Sean Yeoh have been credited with discovering and reporting the vulnerability. The list of remaining flaws, impacting WS_FTP Server versions prior to 8.8.2, is as follows - CVE-2023-42657  (CVSS score: 9.9) - A directory traversal vulnerability that could be exploited to perform file operations. CVE-2023-40045
XSS Vulnerability in Facebook Translations !

XSS Vulnerability in Facebook Translations !

Mar 09, 2011
Summary The Facebook Translations tool's search feature was vulnerable to a simple reflected XSS attack. How did it work? The  Translations tool  allows users to perform phrase searches within translations. In this case, when a search query returned 0 results, the script displayed a message ("Your search for "YOUR PHRASE HERE" did not match any results.") which contained unsanitized user input (the search query). Why is this important? The XSS vulnerability was on Facebook.com. An attacker could have used it to access or change information on people's accounts. Despite Facebook's claims that they've  eliminated   XSS vulnerabilities , it's clear that some portions of the site are better protected than others (ie: Translations was probably not using XHP). Lesser used portions of the site, like the Translations tool, are often the most vulnerable since they're not updated as often or tested as frequently. More Information I want to thank Facebook for responding to my report and fixin
Hacker reports Vulnerability in Mr. Robot Season 2 Website

Hacker reports Vulnerability in Mr. Robot Season 2 Website

May 12, 2016
Mr. Robot was the biggest 'Hacking Drama' television show of 2015 and its second season will return to American TV screens on Wednesday 13th of July 2016. However, the new promotional website for season two of Mr. Robot has recently patched a security flaw that could have easily allowed a hacker to target millions of fans of the show. A White Hat hacker going by the alias Zemnmez discovered a Cross-Site Scripting (XSS) vulnerability in Mr. Robot website on Tuesday, the same day Mr. Robot launched a promo for its second series. The second season of the television show had already received praise from both critics and viewers for its relatively accurate portrayal of cyber security and hacking, something other cyber crime movies and shows have failed at badly. The new series also features a surprising yet welcome guest: President Barack Obama , who is giving a speech about a cyber threat faced by the nation. The flaw Zemnmez discovered on the show's website coul
Vulnerability in HTC website allow attacker to hijack accounts

Vulnerability in HTC website allow attacker to hijack accounts

Dec 28, 2012
Thamatam Deepak (Mr.47™) reported a Cross site scripting (XSS) Vulnerability and cookie handling in HTC website, that allow an attacker to HTC website hijack accounts. Mr. Deepak is a 16 years old whitehat hacker, listed in Apple Hall of Fame with 'The Hacker News' researcher Mohit Kumar this month. Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. The malicious script can access any cookies, session tokens, or other sensitive information retained by your browser. This vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross site scripting is very common web application vulnerability, Yesterday our security researcher, Christy Philip Mathew reported about multiple xss in official latest versions of cPanel and WHM . As reported by Whitehat hacker Deepak, there are multiple xss in HTC website, that allow an attacker
PayPal Vulnerability Allows Hackers to Steal All Your Money

PayPal Vulnerability Allows Hackers to Steal All Your Money

Aug 27, 2015
A critical security vulnerability has been discovered in the global e-commerce business PayPal that could allow attackers to steal your login credentials , and even your credit card details in unencrypted format. Egypt-based researcher Ebrahim Hegazy discovered a Stored Cross Site Scripting (XSS) vulnerability in the Paypal's Secure Payments domain. As it sounds, the domain is used to conduct secure online payments when purchasing from any online shopping website. It enables buyers to pay with their payment cards or PayPal accounts, eliminating the need to store sensitive payment information. However, it is possible for an attacker to set up a rogue online store or hijacked a legitimate shopping website, to trick users into handing over their personal and financial details. How the Stored XSS Attack Works? Hegazy explains a step by step process in his blog post , which gives a detailed explanation of the attack. Here's what the researcher calls the worst attack scenario:
XSS vulnerability reported in Yahoo subdomain website

XSS vulnerability reported in Yahoo subdomain website

Jan 08, 2012
XSS vulnerability reported in Yahoo subdomain website Vansh Sharma & Vaibhuv Sharma from India Reported another important Cross site scripting XSS vulnerability in Yahoo subdomain as shown. Vulnerable Link :  https://au.tv.yahoo.com/plus7/royal-pains/ Cross-site scripting ( XSS ) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users.
Microsoft Edge Bug Could've Let Hackers Steal Your Secrets for Any Site

Microsoft Edge Bug Could've Let Hackers Steal Your Secrets for Any Site

Jun 28, 2021
Microsoft last week rolled out updates for the Edge browser with  fixes for two security issues , one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website. Tracked as  CVE-2021-34506  (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that's triggered when automatically translating web pages using the browser's  built-in feature via Microsoft Translator . Credited for discovering and reporting CVE-2021-34506 are Ignacio Laurence as well as Vansh Devgan and Shivam Kumar Singh with CyberXplore Private Limited.  "Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code," CyberXplore researchers  said  in a write-up shared with The Hacker News. "When such vulnerabilities are found and exploited,
Minor flaw allows Hacker to hijack Avira Antivirus customers accounts

Minor flaw allows Hacker to hijack Avira Antivirus customers accounts

Apr 12, 2013
Cross site scripting vulnerabilities are mistakenly considered unimportant, but they could allow attackers to inject client-side script in web pages visited by victims. A cross-site scripting (xss) vulnerability may be exploited by hackers to bypass access controls going beyond the exceptions. An Egyptian information security advisor Ebrahim Hegazy (Zigoo) has found an XSS vulnerability in the Avira license daemon. license.avira.com But instead of exploiting it in a normal way " alert('MyName') " stuff and then reporting, He decided to demonstrate it to Avira security team in a different mode with the purposes to show how could an XSS vulnerability allows the hackers to steal user accounts with a clear text data! To demonstrate this attack he has created 4 files: avira.html - the fake login page log.php - the logger which will log the credentials as clear text into txt file avira.txt - credentials will be found here done.html - wi
Cybersecurity Resources