CVE-2024-38354 Cross-site Scripting in Hackmd.io Notes lead by HTML Injection

CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe HTML tags with an improperly sanitized name attribute. This vulnerability enables attackers to perform cross-site scripting XSS attacks via DOM clobbering. This...

CVE-2024-38354

CVE-2024-38354 affects CodiMD/HackMD.io notes, where the notebook feature allows rendering of iframe HTML tags with an improperly sanitized name attribute, enabling DOM clobbering-based XSS. The issue, fixed in version 2.5.4, impacts note collaboration environments that render untrusted HTML. No ...

Yokogawa FAST/TOOLS Security Breach

Yokogawa FAST/TOOLS is a real-time operations management and visualization software from Yokogawa Electric Yokogawa Corporation, Japan. A security vulnerability exists in Yokogawa FAST/TOOLS versions R9.01 through R10.04, and Collaborative Information Server versions R1.01.00 through R1.03.00,...

PT-2024-3951 · Myoffice · Myoffice Sdk

Name of the Vulnerable Software and Affected Versions: New Cloud MyOffice SDK Collaborative Editing Server versions 2.2.2 through 2.8 Description: The issue is related to the implementation of the WOPI protocol in the MyOffice SDK, which lacks sufficient checking of incoming requests. This allows...

Five Core Tenets Of Highly Effective DevSecOps Practices

One of the enduring challenges of building modern applications is to make them more secure without disrupting high-velocity DevOps processes or degrading the developer experience. Today's cyber threat landscape is rife with sophisticated attacks aimed at all different parts of the software supply...

Apache Zeppelin Cross-Site Scripting Vulnerability (CNVD-2024-17939)

Apache Zeppelin is a Web-based open source laptop application from the Apache USA Foundation. The program supports interactive data analysis and collaborative documentation. Apache Zeppelin suffers from a cross-site scripting vulnerability that stems from improper coding or escaping, which can be...

Apache Zeppelin Input Validation Error Vulnerability (CNVD-2024-17934)

Apache Zeppelin is a Web-based open source laptop application from the Apache USA Foundation. The program supports interactive data analysis and collaborative documentation. Apache Zeppelin suffers from an input validation error vulnerability that can be exploited by an attacker to view a server...

Apache Zeppelin Input Validation Error Vulnerability (CNVD-2024-17937)

Apache Zeppelin is a Web-based open source laptop application from the Apache USA Foundation. The program supports interactive data analysis and collaborative documentation. Apache Zeppelin suffers from an input validation error vulnerability that can be exploited by an attacker to execute a...

Apache Zeppelin Code Execution Vulnerability

Apache Zeppelin is a Web-based open source laptop application from the Apache USA Foundation. The program supports interactive data analysis and collaborative documentation. Apache Zeppelin has a code execution vulnerability that can be exploited by an attacker to execute shell scripts or malicio...

Apache Zeppelin Input Validation Error Vulnerability (CNVD-2024-17935)

Apache Zeppelin is a Web-based open source laptop application from the Apache USA Foundation. The program supports interactive data analysis and collaborative documentation. Apache Zeppelin has an input validation error vulnerability that can be exploited by an attacker to cause a denial of servi...

Apache Zeppelin Security Bypass Vulnerability

Apache Zeppelin is a Web-based open source laptop application from the Apache USA Foundation. The program supports interactive data analysis and collaborative documentation. Apache Zeppelin suffers from a full bypass vulnerability that can be exploited by an attacker to bypass authentication by...

File Upload Vulnerability in Zhiyuan A6-V5 Collaboration Management Software (CNVD-2024-22457)

Zhiyuan A6-V5 collaborative management software is a set of new generation of large collaborative office management software that can help various enterprises and institutions, government agencies and social groups of single-type organizations to achieve batch delivery. A file upload vulnerabilit...

DzzOffice Cross-Site Scripting Vulnerability (CNVD-2024-15545)

DzzOffice is a platform that provides online collaborative office suite functionality from the American company Big Desk DzzOffice. The platform can be used to provide online documents, forms, webstores, presentations and other features. A cross-site scripting vulnerability exists in dzzoffice...

IBM Engineering Test Management Cross-Site Scripting Vulnerability (CNVD-2024-22228)

IBM Engineering Test Management is a collaborative quality management software from International Business Machines IBM that provides end-to-end test planning and test asset management to improve team efficiency. IBM Engineering Test Management suffers from a cross-site scripting vulnerability th...

IBM Rational Asset Manager Privilege Control Issue Vulnerability

IBM Rational Asset Manager is a collaborative software development tool from IBM, USA. Organizations can use it to identify, manage and govern the design, development and use of software assets and services. A privilege control issue vulnerability exists in IBM Rational Asset Manager version 7.5...

CVE-2023-50712

Summary (CVE-2023-50712): Iris-web prior to v2.3.7 contains a stored XSS vulnerability across multiple locations. An attacker must be authenticated to exploit, and injected scripts could execute when a user visits affected areas, potentially enabling unauthorized access or data theft. The issue i...

The malware, attacker trends and more that shaped the threat landscape in 2023

The 2023 Cisco Talos Year in Review is now available to download. Once again, the Talos team has meticulously combed through a massive amount of data to analyze the major trends that have shaped the threat landscape in 2023. Global conflict influenced a lot of these trends, altering the tactics a...

CISA, FBI, NSA, and Treasury Release Guidance on OSS in OT/ICS Environments

Today, CISA, the Federal Bureau of Investigation, the National Security Agency, and the U.S. Department of the Treasury released guidance on improving the security of open source software OSS in operational technology OT and industrial control systems ICS. In alignment with CISA’s recently releas...

PT-2025-13292

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A vulnerability in the Linux kernel has been resolved. The issue is related to the cpufreq component, specifically the CPPC Collaborative Processor Performance Control mechanism. The...

Code injection

Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now get...