openSUSE 15 Security Update : MozillaThunderbird (openSUSE-SU-2022:0906-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0906-1 advisory. - An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash...

Debian DLA-2961-1 : thunderbird - LTS security update

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2961 advisory. Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure. For Debian 9 stretch, the...

SUSE SLED15 / SLES15 Security Update : MozillaThunderbird (SUSE-SU-2022:0906-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0906-1 advisory. - An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a...

Browser-in-the-Browser Attack Makes Phishing Nearly Invisible

We’ve had it beaten into our brains: Before you go wily-nily clicking on a page, check the URL. First things first, the tried-and-usually-but-not-always-true advice goes, check that the site’s URL shows “https,” indicating that the site is secured with TLS/SSL encryption. If only it were that eas...

CVE-2020-24772

In Dreamacro Clash for Windows v0.11.4, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relaye...

CVE-2020-24772

In Dreamacro Clash for Windows v0.11.4, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relaye...

SUSE-SU-2022:0906-1 Security update for MozillaThunderbird

This update for MozillaThunderbird fixes the following issues: Updated to version 91.7 bsc1196900: - CVE-2022-26381: Fixed an invalid memory access due to text reflow when SVG objects were present. - CVE-2022-26383: Fixed an issue where, when resizing a popup after requesting fullscreen access, t...

Github clash 访问控制错误漏洞

Github clash is a rule-based tunnel in Go. A security vulnerability exists in Github clash, which can be exploited by embedding a malicious iframe page into a website with a crafted URL that launches the Clash Windows client and forces it to open a remote SMB share. Windows will perform NTLM...

TikTok: XSS and iframe injection on tiktok ads portal using redirect params

A Cross-Site Scripting XSS vulnerability was found on a TikTok Ads endpoint via the "redirect" parameter. We thank @cancerz for reporting this to our team...

openSUSE 15 Security Update : MozillaFirefox (openSUSE-SU-2022:0821-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0821-1 advisory. - An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash...

Ubuntu 18.04 LTS / 20.04 LTS : Firefox vulnerabilities (USN-5321-2)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5321-2 advisory. USN-5321-1 fixed vulnerabilities in Firefox. The update didn't include arm64 because of a regression. This update provides the corresponding...

Stored Cross-site Scripting vulnerability in Jenkins Dashboard View Plugin

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure views. Dashboard View Plugin 2.18.1 performs URL validation for the...

Sylius has an unspecified vulnerability (CNVD-2022-22317)

Sylius is an open source e-commerce platform based on the Symfony framework from the Polish company Sylius. sylius has a security vulnerability that stems from the possibility that an attacker-controlled page could load the website in an iframe. This would enable a clickjacking attack where an...

CVE-2022-27197

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure views...

CVE-2022-27197

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure views...

CVE-2022-27197

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure views...

Cross site scripting

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure views...

CVE-2022-27197

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure views...

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

...

Click Jacking

sylius/sylius is vulnerable to click-jacking attacks. An attacker can avoid login forms and load the malicious website within an iframe due to the missing HTTP headers...