CVE-2020-19007

Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the attacker will then execute in the victim user's browser...

CVE-2020-19007

Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the attacker will then execute in the victim user's browser...

Hardcoded credentials

Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the attacker will then execute in the victim user's browser...

blog.5iux.cn Cross Site Scripting vulnerability OBB-1277952

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

CVE-2020-19007

CVE-2020-19007 affects Halo blog 1.2.0. The issue allows users to submit comments on blog posts via /api/content/posts/comments, enabling attacker-supplied JavaScript to execute in the victim’s browser (a browser-based XSS impact). The connected records confirm the vulnerability text across multi...

CVE-2020-19007

Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the attacker will then execute in the victim user's browser...

Friday Squid Blogging: Rhode Island's State Appetizer Is Calamari

Rhode Island has an official state appetizer, and it's calamari. Who knew? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

‘DiceKeys’ Creates a Master Password for Life With One Roll

A new kit leaves your cryptographic destiny up to 25 cubes in a plastic box...

XenForo 2.1.10 Patch 2 Cross Site Scripting Vulnerability

Exploit for php platform in category web applications Exploit Title: XenForo v2.1.10 Patch 2 Stored XSS Author: Vincent666 ibn Winnie Software Link: https://xenforo.com/demo/ Tested on: Windows 10 Web Browser: Mozilla Firefox Blog :https://pentest-vincent.blogspot.com/ PoC...

vBulletin 5.6.2 Persistent Cross Site Scripting

Exploit Title: vBulletin 5.6.2 Stored XSS Date:15.08.2020 Author: Vincent666 ibn Winnie Software Link: https://www.vbulletin.com/en/features/ Tested on: Windows 10 Web Browser: Mozilla Firefox Blog : https://pentest-vincent.blogspot.com/ PoC:...

Threat Source newsletter for Aug. 13, 2020

Newsletter compiled by Jon Munshaw. Good afternoon, Talos readers. It’s really tough to attribute cyber attacks. We know it. You know it. But why is that, exactly? And why do we want to attribute attacks so badly anyway? In our latest blog post, we look at why attribution is challenging, and what...

The Furious Hunt for the MAGA Bomber

Scarred by trauma and devoted to Trump, a man began mailing explosives to the president’s critics on the eve of an election. Inside the race to catch him...

vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution

Exploit Title: vBulletin 5.6.2 - 'widgettabbedContainertabpanel' Remote Code Execution Date: 2020-08-09 Exploit Author: @zenofex Vendor Homepage: https://www.vbulletin.com/ Software Link: None Version: 5.4.5 through 5.6.2 Tested on: vBulletin 5.6.2 on Ubuntu 19.04 CVE : None vBulletin 5.5.4 throu...

Threat Source newsletter for July 30, 2020

Newsletter compiled by Jon Munshaw. Good afternoon, Talos readers. Adversaries love to use headlines as part of their spam campaigns. From COVID-19, to Black Lives Matter and even Black Friday every year, the bad guys are wanting to capitalize on current events. Why is this the case, and when do...

Exploit for Incorrect Authorization in Moodle

CVE-2020-14321 Course enrolments allowed privilege escalation...

Friday Squid Blogging: Introducing the Seattle Kraken

The Kraken is the name of Seattle's new NFL franchise. I have always really liked collective nouns as sports team names like the Utah Jazz or the Minnesota Wild, mostly because it's hard to describe individual players. As usual, you can also use this squid post to talk about the security stories ...

Afternoon Cyber Tea: Peak, Plateau, or Plummet? Cyber security trends that are here to stay and how to detect and recover from ransomware attacks

The rapidity of change in the cyberthreat landscape can be daunting for today’s cyber defense teams. Just as they perfect the ability to block one attack method, adversaries change their approach. Tools like artificial intelligence and machine learning allow us to pivot quickly, however, knowing...

8x8: Open Redirect on [blog.wavecell.com]

The Wavecell Blog application was vulnerable to a URL redirect due to a filter that replaced every occurrence of // with /. F915989...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a Kubernetes API server security vulnerability (CVE-2019-11254)

Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability in the Kubernetes API server that could lead to a denial of service vulnerability from malicious YAML payloads CVE-2019-11254 Vulnerability Details CVEID: CVE-2019-11254 Description: Kubernetes is vulnerable to a denia...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a Kubernetes controller manager security vulnerability (CVE-2020-8555)

Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability in the Kubernetes controller manager that could leak data to authorized users CVE-2020-8555 Vulnerability Details CVEID: CVE-2020-8555 Description: Kubernetes is vulnerable to server-side request forgery, caused by a...