Latest XSS news

New attack uses MSC files and Windows XSS flaw to breach networks

A novel command execution technique dubbed 'GrimResource' uses specially crafted MSC (Microsoft Saved Console) and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console.
- Bill Toulas
- June 24, 2024
- 03:03 PM
- 0
High-severity GitLab flaw lets attackers take over accounts

GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks.
- Sergiu Gatlan
- May 23, 2024
- 01:43 PM
- 0
Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware

Hackers are breaching WordPress sites by exploiting a vulnerability in outdated versions of the Popup Builder plugin, infecting over 3,300 websites with malicious code.
- Bill Toulas
- March 10, 2024
- 11:38 AM
- 4
Joomla fixes XSS flaws that could expose sites to RCE attacks

Five vulnerabilities have been discovered in the Joomla content management system that could be leveraged to execute arbitrary code on vulnerable websites.
- Bill Toulas
- February 21, 2024
- 05:55 PM
- 0
CISA: Roundcube email server bug now exploited in attacks

CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks.
- Sergiu Gatlan
- February 12, 2024
- 02:03 PM
- 0
Hackers steal data of 2 million in SQL injection, XSS attacks

A threat group named 'ResumeLooters' has stolen the personal data of over two million job seekers after compromising 65 legitimate job listing and retail sites using SQL injection and cross-site scripting (XSS) attacks.
- Bill Toulas
- February 06, 2024
- 02:00 AM
- 1
Over 150k WordPress sites at takeover risk via vulnerable plugin

Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication.
- Bill Toulas
- January 11, 2024
- 04:54 PM
- 1
Over 1,450 pfSense servers exposed to RCE attacks via bug chain

Roughly 1,450 pfSense instances exposed online are vulnerable to command injection and cross-site scripting flaws that, if chained, could enable attackers to perform remote code execution on the appliance.
- Bill Toulas
- December 12, 2023
- 09:00 AM
- 2
Google: Hackers exploited Zimbra zero-day in attacks on govt orgs

Hackers leveraged a medium-severity security issue now identified as CVE-2023-37580 since June 29, nearly a month before the vendor addressed it in version 8.8.15 Patch 41of the software on July 25.
- Bill Toulas
- November 17, 2023
- 11:04 AM
- 0
European govt email servers hacked using Roundcube zero-day

The Winter Vivern Russian hacking group has been exploiting a Roundcube Webmail zero-day since at least October 11 to attack European government entities and think tanks.
- Sergiu Gatlan
- October 25, 2023
- 07:00 AM
- 0
Zimbra patches zero-day vulnerability exploited in XSS attacks

Two weeks after the initial disclosure, Zimbra has released security updates that patch a zero-day vulnerability exploited in attacks targeting Zimbra Collaboration Suite (ZCS) email servers.
- Sergiu Gatlan
- July 27, 2023
- 02:57 PM
- 0
WordPress Ninja Forms plugin flaw lets hackers steal submitted data

Popular WordPress form-building plugin Ninja Forms contains three vulnerabilities that could allow attackers to achieve privilege escalation and steal user data.
- Bill Toulas
- July 27, 2023
- 01:00 PM
- 3
Zimbra urges admins to manually fix zero-day exploited in attacks

Zimbra urged admins today to manually fix a zero-day vulnerability actively exploited to target and compromise Zimbra Collaboration Suite (ZCS) email servers.
- Sergiu Gatlan
- July 13, 2023
- 01:54 PM
- 0
Critical TootRoot bug lets attackers hijack Mastodon servers

Mastodon, the free and open-source decentralized social networking platform, has patched four vulnerabilities, including a critical one that allows hackers to create arbitrary files on instance-hosting servers using specially crafted media files.
- Bill Toulas
- July 07, 2023
- 12:40 PM
- 0
Hackers target 1.5M WordPress sites with cookie consent plugin exploit

Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs.
- Sergiu Gatlan
- May 24, 2023
- 06:38 PM
- 1
WordPress custom field plugin bug exposes over 1M sites to XSS attacks

Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS).
- Bill Toulas
- May 05, 2023
- 10:57 AM
- 1
Cisco discloses XSS zero-day flaw in server management tool

Cisco disclosed today a zero-day vulnerability in the company's Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.
- Sergiu Gatlan
- April 26, 2023
- 02:51 PM
- 5
Bing search results hijacked via misconfigured Microsoft app

A misconfigured Microsoft application allowed anyone to log in and modify Bing.com search results in real-time, as well as inject XSS attacks to potentially breach the accounts of Office 365 users.
- Bill Toulas
- March 30, 2023
- 01:05 PM
- 0
Jenkins discloses dozens of zero-day bugs in multiple plugins

On Thursday, the Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server, 29 of the bugs being zero-days still waiting to be patched.
- Sergiu Gatlan
- July 01, 2022
- 06:12 AM
- 1
Screencastify Chrome extension flaws allow webcam hijacks

The popular Screencastify Chrome extension has fixed a vulnerability that allowed malicious sites to hijack users' webcams and steal recorded videos. However, security flaws still exist that could be exploited by unscrupulous insiders.
- Bill Toulas
- May 24, 2022
- 12:45 PM
- 0