Search results for XSS | Breaking Cybersecurity News | The Hacker News

It's time to update your Drupal websites, once again. For the second time within a month , Drupal has been found vulnerable to another critical vulnerability that could allow remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft. Discovered by the Drupal security team, the open source content management framework is vulnerable to cross-site scripting (XSS) vulnerability that resides in a third-party plugin CKEditor which comes pre-integrated in Drupal core to help site administrators and users create interactive content. CKEditor is a popular JavaScript-based WYSIWYG rich text editor which is being used by many websites, as well as comes pre-installed with some popular web projects. According to a security advisory released by CKEditor, the XSS vulnerability stems from the improper validation of " img " tag in Enhanced Image plugin for CKEditor 4.5.11 and later versions. This could allow an attacker to...

Krunal Goswami ( tech2spider ) found new XSS in Stanford University Website ! Tech2spider has submitted a cross-site-scripting (XSS) vulnerability affecting stanford.edu. We manually validated and publishing th. It is currently unfixed.is news. Check this Link :  https://www.stanford.edu/group/ tabletennis/cgi-bin/index.php? photos&event=%3Cscript%20type= %22text/javascript%22%20% 3Ealert%28%22XSS%20Vulnerable% 22%29%3C/script%3E News Source :  Krunal Goswami ( tech2spider )

Double nibble URI decoding XSS Vulnerability on   EC Council website What EC Council is ? They offers certifications in certified ethical hacker ceh, Computer Security, network security, internet security program and computer forensics and penetration testing. Information Security, Ethical Hacking, Computer Forensics, Advanced Penetration Testing, Application Security, Disaster Recovery and other critical Information Security Topics and Security Courses. XSS POC : Link : Click Here Submitted By :  Nulled Byte

Cybersecurity researchers have disclosed new security vulnerabilities in the Etherpad text editor (version 1.8.13) that could potentially enable attackers to hijack administrator accounts, execute system commands, and even steal sensitive documents. The two flaws — tracked as CVE-2021-34816 and CVE-2021-34817 — were discovered and reported on June 4 by researchers from SonarSource, following which patches have been shipped for the latter in  version 1.8.14  of Etherpad released on July 4. Etherpad is a real-time collaborative interface that enables a document to be edited simultaneously by multiple authors. It is an open-source alternative to Google Docs that can be self-hosted or used through one of the many third-party public instances available. "The XSS vulnerability allows attackers to take over Etherpad users, including admins. This can be used to steal or manipulate sensitive data," SonarSource vulnerability researcher Paul Gerste  said  in a report shar...

Just few days ago, we reported about two critical vulnerability in mobile version of the most popular password manager application from a popular Password management company RoboForm , which manages your passwords for different websites. Now, researchers have published a detailed explanation on the security vulnerabilities discovered in five different and popular password managers , including RoboForm, that could allow cybercriminals to grab your credentials. The serious security holes were found and reported by the University of California Berkeley researchers named: Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song . The critical vulnerabilities were discovered in the popular password managers that includes RoboForm, LastPass, My1Login, PasswordBox and NeedMyPassword . " Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user's credentials for arbitrary websites, " Researchers wrote in the paper (PDF) tit...

A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens. "Most of this activity occurred after the initial fix became public on GitHub," Google Threat Analysis Group (TAG)  said  in a report shared with The Hacker News. The flaw, tracked as  CVE-2023-37580  (CVSS score: 6.1), is a  reflected cross-site scripting  (XSS) vulnerability impacting versions before 8.8.15 Patch 41. It was  addressed  by Zimbra as part of patches released on July 25, 2023. Successful exploitation of the shortcoming could allow execution of malicious scripts on the victims' web browser simply by tricking them into clicking on a specially crafted URL, effectively initiating the XSS request to Zimbra and reflecting the attack back to the user. Google TAG, whose researcher Clément Lecigne was credited with discovering and reporting the bug, s...

XSS Vulnerability on AOL Energy website A non-persistent Cross Site Scripting (XSS) vulnerability discovered on AOL Energy website. The similar Vulnerability is claimed by few other guys on some forums too. No clue that who found it first, But THN got update from Vansh & Vaibhuv from India.

Microsoft has patched a misconfiguration issue impacting the Azure Active Directory ( AAD ) identity and access management service that exposed several "high-impact" applications to unauthorized access. "One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users," cloud security firm Wiz  said  in a report. "Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents." The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. Redmond  said  it found no evidence that the misconfigurations were exploited in the wild. The crux of the vulnerability stems from what's called "Shared Responsibility confusion," wherein an Azure app can be incorrectly configured to allow users from any Micro...

XSS attack on CIA (Central Itelligence Agency) Website by lionaneesh After Ddos attack on CIA (Central Itelligence Agency) website by Lulzsec, lionaneesh , an Indian hacker have found XSS Vulnerability on same site as shown. The Vulnerabile link is here  . You can join Loinaneesh on Twitter . 

A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked as  CVE-2023-27898  and  CVE-2023-27905 , impact the Jenkins server and Update Center, and have been collectively christened  CorePlague  by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable. "Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server," the company said in a report shared with The Hacker News. The shortcomings are the result of how Jenkins processes plugins available from the  Update Center , thereby potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. "Once the victim opens the ' Availabl...

Delhi University 's & Pakistani.pk  site is vuln to XSS ! angel (4d0r4b13) Found Xss cross site scripting vulnerability in Delhi University Website, as shown. vulnerable Link :  : https://du.ac.in/index. php?id=276&sitesearch=du.ac. in&client=pub- 017673838153185424638% 3Aoxnjzwaqtce&cof=FORID%3A10& ie=UTF-8&q=%22%3E%3Cscript% 3Ealert%28%22Vuln+found+by+ 4ng31+4k4+4d0r4b13..!+angelws+ here..!+enjoy....!+delhi+ university..!+hehe..!+%3D%29+% 3D%29+%3B%29+%22%29%3C% 2Fscript%3E and  https://pakistani.pk/?s=%22%3E%3Cscript%3Ealert%28%22angel%20w45%20here..!%20heheheh%20pakistani.pk%20vuln%20to%20xss%20yup%20it%20is//!%20greets:Indian%20r00ting%20w1z4rd5..!%20vuln%20found%20n%20executed%20by%20angel%204k4%204d0r4b13%22%29%3C/script%3E

Devansh Kumar Jain Found Xss venerability in 4 Websites !  Devansh Kumar Jain is a 14 years old Hacker From Agra, India . He found some Xss venerable sites,as listed below : 1.)   https://sdb.drshnaps.com/search.php?q= <script>alert(String.fromCharCode(68,69,86))</script> 2.)   https://www.newdimensions.org/search.php?q= <script>alert(String.fromCharCode(68,69,86))</script> 3.)   https://classifieds.successcds.net/search.php?q= <h1><b><i>hi</i></b></h1> 4.)   https://pcstats.shoplinc.com/search.php?q= <script>alert(String.fromCharCode(68,69,86))</script> News Source : Devansh Kumar | Via Message

Cross Site Scripting Vulnerability in Speed Bit Search Engine Debasish Mandal, A hacker from India , Found that there is a XSS through JavaScript Injection vulnerability in the Home page of Speed Bit Search Engine.The XSS filter is filtering normal html /script /iframe tags but XSS can be achieved by injecting JavaScript event "onmouseover()".Technical Description is below. Debasish have reported the vulnerability to the Speed Bit Team but haven't yet got any response from their side. Proof Of Concept: 1) Visit this URL https://search.speedbit.com/?aff=grbr" onmousemove="alert(document.cookie) 2) Bring mouse cursor over the hyperlink shown in the image and you should see a POP up box showing the browser cookies. Submitted By :  Debasish Mandal, India.

Multiple Cross Site Scripting ( #XSS ) Vulnerabilities in Forbes Ucha Gobejishvili ( longrifle0x ) , A Georgian Security Researcher Discover two Cross Site Scripting ( XSS ) Vulnerabilities on the Official website of Forbes , an American publishing and media company. Cross-Site Scripting occurs when an attacker can send a malicious script to a different user by relaying the script from an otherwise trusted or innocuous server. These flaws are extensive on the Web and allow an attacker to place malicious code that can execute attacks against other users in the security context of the web servers of the trusted host. 1.) First Vulnerable Link : Click Here 2.) Second Vulnerable Link : Click Here Cross-Site Scripting typically involves executing commands in a user's browser to display unintended content, or with the intent of stealing the user's login credentials or other personal information. This information can then be used by the attacker to access web sites and ser...

An application layer or 'layer 7' distributed denial of service ( DDoS ) attacks is one of the most complicated web attack that disguised to look like legitimate traffic but targets specific areas of a website, making it even more difficult to detect and mitigate. Just Yesterday Cloud-based security service provider ' Incapsula ' detected a unique application layer DDoS attack, carried out using traffic hijacking techniques. DDoS attack flooded one of their client with over 20 million GET requests, originating from browsers of over 22,000 Internet users. What makes this case especially interesting is the fact that the attack was enabled by persistent XSS vulnerability in one of the world's largest and most popular site - one of the domains on Alexa's " Top 50 " list. XSS  vulnerability  to Large-Scale DDoS Attack Incapsula has not disclosed the name of vulnerable website for security reasons, but mentioned it as a high profile video content provid...

Kevin Mitnick 's website open to Cross-Site Scripting ( XSS ) vulnerability Cross-Site Scripting ( XSS ) vulnerability discovered in official website of Kevin Mitnick (one of the most talented hackers, and the one one most prosecuted by the state. Mitnick's hacker handle was "Condor". He became the first hacker to appear on an FBI "Most Wanted" poster, for breaking into the Digital Equipment Company computer network, Mitnick has become something of a celebrity in hacker circles due to his Hacking talent) by  Fabián Cuchietti . This is a serious security issue, with potential implications that are only starting to be understood. However, it is critical to realize that this problem does not expose any way to break into the server itself. What it allows is for malicious attackers to potentially take control of the interaction between a user and a website. It is likely that the most serious thing that an attacker can potentially do in this situation is chang...

Just as Colonial Pipeline  restored  all of its systems to operational status in the wake of a crippling ransomware incident a week ago, DarkSide, the cybercrime syndicate behind the attack, claimed it lost control of its infrastructure, citing a law enforcement seizure. All the dark web sites operated by the gang, including its DarkSide Leaks blog, ransom collection site, and breach data content delivery network (CDN) servers, have gone dark and remain inaccessible as of writing. In addition, the funds from their cryptocurrency wallets were allegedly exfiltrated to an unknown account, according to a note passed by DarkSide operators to its affiliates. "At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked," the  announcement  obtained by Intel 471 read. The development comes as DarkSide closed its Ransomware-as-a-Service (RaaS) affiliate program for good "due to the pressure from the U.S.", with the group stating th...

Yesterday, we report about the security breach in US Government computers belongs to NASA  restricted area website and Hacker dump out the complete source code and files from server of the website. Today another hacker claim a quick XSS (Cross site scripting) Vulnerability in NASA's Jet Propulsion Laboratory website (https://onearth.jpl.nasa.gov/) via a pastebin note. Hacker is going by name " Antraxt Hacker " and said about vulnerability exposure that,"I just want to proof that NASA is and never will be secured as human kind thinks they are". The xss vulnerable link is disclosed in pastebin note. I feel this not a offensive hack by hacker, even NASA should take advantage of free of cost Penetration testing services from individual like , who even not looking for Bug Bounties.

Cybersecurity researchers today disclosed several security issues in popular online dating platform OkCupid that could potentially let attackers remotely spy on users' private information or perform malicious actions on behalf of the targeted accounts. According to a report shared with The Hacker News, researchers from Check Point found that the flaws in OkCupid's Android and web applications could allow the theft of users' authentication tokens, users IDs, and other sensitive information such as email addresses, preferences, sexual orientation, and other private data. After Check Point researchers responsibly shared their findings with OkCupid, the Match Group-owned company fixed the issues, stating, "not a single user was impacted by the potential vulnerability." The Chain of Flaws The flaws were identified as part of reverse engineering of OkCupid's Android app version 40.3.1, which was released on April 29 earlier this year. Since then, there ...

Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin. The vulnerable plugin in question is Social Warfare which is a popular and widely deployed WordPress plugin with more than 900,000 downloads. It is used to add social share buttons to a WordPress website or blog. Late last month, maintainers of Social Warfare for WordPress released an updated version 3.5.3 of their plugin to patch two security vulnerabilities—stored cross-site scripting (XSS) and remote code execution (RCE)—both tracked by a single identifier, i.e., CVE-2019-9978 . Hackers can exploit these vulnerabilities to run arbitrary PHP code and take complete control over websites and servers without authentication, and then use the compromised sites to perform digital coin mining or host malicious exploit code. However, the same day when Soc...