stream.beritasatumedia.com IFRAME Injection vulnerability

Open Bug Bounty ID: OBB-1087552 Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website...

CVE-2019-10779

All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS...

CVE-2019-10779

All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS...

Cross-site Scripting (XSS)

Overview stroom:stroom-app is a highly scalable data storage, processing and analysis platform Affected versions of this package are vulnerable to Cross-site Scripting XSS. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue...

Red Hat Keycloak Cross-Site Scripting Vulnerability (CNVD-2020-01944)

Red Hat Keycloak is a suite of software from Red Hat, Inc. that provides authentication and management capabilities for modern applications and services. A cross-site scripting vulnerability exists in the login-status-iframe.html page in Red Hat Keycloak, which stems from a lack of proper...

CVE-2019-19788

Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction...

CVE-2019-19788

Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction...

Design/Logic Flaw

Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction...

CVE-2019-19788

Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction...

CVE-2019-19788

Opera for Android up to version 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass. The issue arises when a service running inside a sandboxed iframe bypasses the browser’s sandbox attributes, enabling forced redirections from a third‑party context without user interaction. A...

boneprice.com IFRAME Injection vulnerability

Open Bug Bounty ID: OBB-1040238 Security Researcher MajorInfluenza Helped patch 120 vulnerabilities Received 2 Coordinated Disclosure badges , a holder of 2 badges for responsible and coordinated disclosure, found a security vulnerability affecting boneprice.com website and its users. Following...

Bypass a restriction in OfA 54 – Opera Security Advisories

Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed cross-origin iframe bypass attack. By using a service working inside a sandboxed iframe it is possible to bypass the normal sandboxing attributes. This allows an attacker to make forced redirections without any user interaction...

PUBG: RXSS to Stored XSS - forums.pubg.com | URL parameter

René Kroka found a Reflected XSS vulnerability that could be chained to a Stored XSS attack in the Invision Community forums software used by PUBG. By crafting a malicious URL the attacker is able to trigger Javascript to execute on their own page; known as Reflected XSS. The attacker then create...

find.youropia.gr IFRAME Injection vulnerability

Open Bug Bounty ID: OBB-1036951 Security Researcher MajorInfluenza Helped patch 120 vulnerabilities Received 2 Coordinated Disclosure badges , a holder of 2 badges for responsible and coordinated disclosure, found a security vulnerability affecting find.youropia.gr website and its users. Followin...

dailygood.org IFRAME Injection vulnerability

Open Bug Bounty ID: OBB-1036913 Security Researcher MajorInfluenza Helped patch 120 vulnerabilities Received 2 Coordinated Disclosure badges , a holder of 2 badges for responsible and coordinated disclosure, found a security vulnerability affecting dailygood.org website and its users. Following...

Design/Logic Flaw

JBoss KeyCloak: XSS in login-status-iframe.html...

CVE-2014-3656

CVE-2014-3656 corresponds to a JBoss KeyCloak cross-site scripting (XSS) in the login-status-iframe.html page. Public advisories describe that if a Keycloak deployment allows '*' as a permitted web origin in the admin console, crafted requests to login-status-iframe.html can inject arbitrary Java...

There’s an app for that: web skimmers found on PaaS Heroku

Criminals love to abuse legitimate services—especially platform-as-a-service Paas cloud providers—as they are a popular and reliable hosting commodity used to support both business and consumer ventures. Case in point, in April 2019 we documented a web skimmer served on code repository GitHub...

Microsoft OAuth Flaw Opens Azure Accounts to Takeover

A vulnerability in the way Microsoft applications use OAuth for third-party authentication could allow an attacker to take over Azure cloud accounts. OAuth is a protocol that allows app users to share data about their accounts with third-party websites or apps, so that when they sign into the app...

Security update for webkit2gtk3 (important)

openSUSE Security Update: Security update for webkit2gtk3 Announcement ID: openSUSE-SU-2019:2587-1 Rating: important References: 1155321 1156318 Cross-References: CVE-2019-8551 CVE-2019-8558 CVE-2019-8559 CVE-2019-8563 CVE-2019-8625 CVE-2019-8674 CVE-2019-8681 CVE-2019-8684 CVE-2019-8686...