Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection

Introduction TLS Thread Local Storage callbacks are provided by the Windows operating system to support additional initialization and termination for per-thread data structures. As previously reported, malicious TLS callbacks, as an anti-analysis trick, have been observed for quite some time and...

GHSA-7QCX-JMRC-H2RR Cross-Site Scripting in keystone

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that open...

Cross-site Scripting (XSS)

simplesamlphp is vulnerable to cross-site scripting XSS attacks. A malicious user can inject and execute a malicious Javascript document through the url when the url is being redirected...

Cross site scripting

A persistent site scripting vulnerability in Juniper Networks Junos Space allows users who can change certain configuration to implant malicious Javascript or HTML which may be used to steal information or perform actions as other Junos Space users or administrators. Affected releases are Juniper...

Stored Cross-Site Scripting Vulnerability in PlayStation Live App

Playcaster Live App is a short video live interactive application. Playcafe Live App has a stored cross-site scripting vulnerability that allows an attacker to insert malicious js code into the page to obtain user cookies and other information...

Stored Cross-Site Scripting Vulnerability in Vienna Hotel App

Vienna Hotel App is a hotel booking software officially launched by Vienna Hotel. Vienna Hotel App has a stored cross-site scripting vulnerability that allows an attacker to insert malicious js code into a page to obtain information such as user cookies...

US Government Site Was Hosting Ransomware

As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware. Researcher Ankit Anubhav of NewSky Security tweeted the discovery Wednesday, and within hours, the malware link was taken down. It’s...

Adware Spreading Via Social Engineering, Facebook Messenger

Attackers have taken to Facebook Messenger with a combination of social engineering and malicious JavaScript to spread adware, something that’s likely earning them a small chunk of change in the process. David Jacoby, a senior security researcher with Kaspersky Lab’s Global Research & Analysis...

Cross-site Scripting (XSS)

spring-batch-admin is vulnerable to cross-site scripting XSS attacks. A malicious user can inject and execute malicious javascript through the file upload function...

DOM Cross-Site Scripting Vulnerability in UFIDA U8+ Financial System

UFIDA U8+ is a fine financial software. A stored cross-site scripting vulnerability exists in the UFIDA U8+ financial system. It allows an attacker to insert malicious js code into a page to obtain user cookies and other information, leading to user hijacking...

Suspicious Credential Harvesting

Compromised websites injected with malicious JavaScript, have been identified. Successful exploitation could result in remote code execution on the target system once the malicious page is loaded, leading to credential harvesting...

CVE-2017-3948

Cross Site Scripting XSS in IMG Tags in the ePO extension in McAfee Data Loss Prevention Endpoint DLP Endpoint 10.0.x allows authenticated users to inject arbitrary web script or HTML via injecting malicious JavaScript into a user's browsing session...

Phone Hack Uses Sensors To Steal PINs

University researchers have created a method to steal a smartphone user’s PIN by leveraging sensor data generated by the targeted phone. Researchers say the method has a 74 percent success rate when it comes to accurately determining four-digit PIN data inputted by a phone’s owner. Researchers fr...

WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting

WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting Source: https://sumofpwn.nl/advisory/2016/persistentcrosssitescriptinginthewordpressnewstatpressplugin.html Abstract A persistent Cross-Site Scripting XSS vulnerability has been found in the WordPress NewStatPress plugin. By using this...

U.S. Dept Of Defense: Remote File Inclusion, Malicious File Hosting, and Cross-site Scripting (XSS) in ████████

Details: There is currently a security misconfiguration on plain.php function located on the host http://██████████/ allowing attackers to include webserver contents of their choosing no restriction on filetypes and/or IP addresses, as well as embed malicious javascript payloads in the response v...

Spammers using Facebook Messenger to Spread Locky Ransomware

If you came across any Facebook Message with an image file exactly .SVG file format send by any of your Facebook friends, just avoid clicking it. An ongoing Facebook spam campaign is spreading malware downloader among Facebook users by taking advantage of innocent-looking SVG image file to infect...

WordPress Plugin WassUp Real Time Analytics 1.9 - Persistent Cross-Site Scripting

Source: https://sumofpwn.nl/advisory/2016/persistentcrosssitescriptinginwassuprealtimeanalyticswordpressplugin.html Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin Abstract A stored Cross-Site Scripting XSS vulnerability has been found in the WassUp Real Time...

XSS Vulnerability in NetEase Email Master Client PC Version

NetEase Mail Master client is a universal email client launched by NetEase 163. An XSS vulnerability exists in the PC version Ver2.4.1.8 of the NetEase Mail Master client. It allows attackers to insert malicious js code into the page to obtain user cookies and other information, leading to user...

WordPress Activity Log 2.3.1 Plugin - Persistent Cross-Site Scripting

Exploit for php platform in category web applications Persistent Cross-Site Scripting in WordPress Activity Log plugin Han Sahin Abstract A stored Cross-Site Scripting XSS vulnerability has been found in the WordPress Activity Log plugin. By using this vulnerability an attacker can inject malicio...

Adobe Analytics AppMeasurement for Flash Library Patch

Adobe today patched a vulnerability in the Adobe Analytics AppMeasurement for Flash library, which can be added to Flash projects to measure the usage of Flash-based content. The vulnerability is a DOM-based cross-site scripting flaw that can be abused for cookie theft, said researcher Randy...