CVE-2025-64387 CLICKJACKING

The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login...

CVE-2024-7654 Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service

An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other...

CVE-2024-7654

The CVE affects Progress OpenEdge Management with OEE/OEM auto-discovery, where the ActiveMQ Discovery service was reachable by default. Unauthorized access to the discovery service’s UDP port allowed content injection into parts of the OEM web interface, enabling potential user deception. Public...

CVE-2024-30109

HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended...

CVE-2024-4839 CSRF in Servers Configurations in parisneo/lollms-webui

A Cross-Site Request Forgery CSRF vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service under construction, XTTS service, Petals service, vLLM service, and Motion Ctrl service,...

Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users

A new attack campaign dubbed CLOUDREVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads. "The VBScript and PowerShell scripts in the CLOUDREVERSER inherently involves command-and-control-like activities by using Google...

GHSA-7V7M-PCW5-H3CG Pusher Service Channel Authentication Bypass

The service offered by Pusher provides "private" channels with an authentication mechanism that restricts subscription access. The decision on allowing subscriptions to private channels is delegated to customers, who implement an authentication endpoint. End-users request a token from this endpoi...

CVE-2024-3911 Welotec: Clickjacking Vulnerability in WebUI

An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames...

CVE-2024-3911 Welotec: Clickjacking Vulnerability in WebUI

An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames...

PT-2024-28350 · Welotec · Smart Ems +2

Name of the Vulnerable Software and Affected Versions: Software affected versions not specified Description: An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. Recommendations: At the moment, there i...

Cross-site Scripting (XSS)

hoteldruid is vulnerable to Cross-site Scripting XSS. The attacker can inject and execute malicious JavaScript code into the affected webpage's parameters. This could be used to deceive users on their browsers and/or exfiltrate data from the affected system...

Mozilla’s ‘Track This’ lets you choose fake identity to deceive advertisers

By Waqas Track This is a new kind of incognito, says Mozilla. It is a fact that everything that you do on the Internet such as using Facebook or Twitter, online shopping or aimlessly surfing the web, is being tracked. Haven’t you noticed that as soon as you search for something, ads relevant to t...

New Google Chrome mobile phishing scam can steal private data

By Uzair Amir Google Chrome’s mobile browser has been targeted with a relatively simple phishing technique by developer Jim Fisher. According to Fisher, the exploit involves tricking victims into handing over their private information by manipulating the trusted websites of the user. By using a...

ESPCMS v5. 0 to bypass the administrator login EXP-vulnerability warning-the black bar safety net

Publishing author: sub-meter Vulnerability type: cookies cheat Vulnerability analysis: the background of the page there is cookie authentication vulnerability can be deceiving into the background. EXP: ? function eccode$string, $operation='DECODE', $key='@LFK24s224%@safS3s%1f%' $result = "; if...