Security update for webkit2gtk3 (important)

openSUSE Security Update: Security update for webkit2gtk3 Announcement ID: openSUSE-SU-2019:2587-1 Rating: important References: 1155321 1156318 Cross-References: CVE-2019-8551 CVE-2019-8558 CVE-2019-8559 CVE-2019-8563 CVE-2019-8625 CVE-2019-8674 CVE-2019-8681 CVE-2019-8684 CVE-2019-8686...

SUSE SLED15 / SLES15 Security Update : webkit2gtk3 (SUSE-SU-2019:3044-1)

This update for webkit2gtk3 to version 2.26.2 fixes the following issues : Webkit2gtk3 was updated to version 2.26.2 WSA-2019-0005 and WSA-2019-0006, bsc1155321 bsc1156318 Security issues addressed : CVE-2019-8625: Fixed a logic issue where by processing maliciously crafted web content may lead t...

CVE-2019-16763 XSS in Pannellum from 2.5.0 through 2.5.4

In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data URIs or vbscript:, allowing for potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would require an attacker-provided configuration. The most plausible potential attack would be if...

MGASA-2019-0324 Updated webkit2 packages fix security vulnerabilities

Updated webkit2 packages fix security vulnerabilities: Processing maliciously crafted web content may lead to universal cross site scripting CVE-2019-8625, CVE-2019-8674, CVE-2019-8719, CVE-2019-8813 Processing maliciously crafted web content may lead to arbitrary code execution CVE-2019-8707,...

Unspecified Vulnerability in Apple iOS WebKit Component

Apple iOS is an operating system developed by Apple for mobile devices, of which WebKit is a component of the Web browser engine. A security vulnerability exists in the WebKit component in versions of Apple iOS prior to 13, which can be exploited by attackers to violate iframe sandboxing policies...

Mozilla Firefox ESR < 24.7 Multiple Vulnerabilities

Binary data 701246.prm...

Debian DSA-4558-1 : webkit2gtk - security update

Several vulnerabilities have been discovered in the webkit2gtk web engine : - CVE-2019-8625 Sergei Glazunov discovered that maliciously crafted web content may lead to universal cross site scripting. - CVE-2019-8720 Wen Xu discovered that maliciously crafted web content may lead to arbitrary code...

[SECURITY] [DSA 4558-1] webkit2gtk security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4558-1 [email protected] https://www.debian.org/security/ Alberto Garcia November 04, 2019 https://www.debian.org/security/faq -...

UBUNTU-CVE-2019-8771

This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 13.0.1, iOS 13. Maliciously crafted web content may violate iframe sandboxing policy...

CVE-2019-8771

This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 13.0.1, iOS 13. Maliciously crafted web content may violate iframe sandboxing policy...

CVE-2017-7787

Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird 52.3, Firefox ESR 52.3, and Firefox 55...

New Relic: Cross-account stored XSS at embedded charts

Hey team, I've discovered one more stored XSS, this one is at the embedded chart page. Steps tp reproduce 1 Sign into NR, navigate to any Mobile app - Interactions 2 Click ... near any chart, then choose Embed. Select OK at the confirm box. 3 Intercept the chart embedding POST request: http POST...

Using MixMode and Carbon Black to Spot a Watering Hole Attack

For those not familiar with watering hole attacks, they are attacks on a specific place—such as a restaurant—that many people visit. They generally involve malicious code being injected into an iframe on the company’s website. In the case of a restaurant, for example, the online menu would be a...

Malvertising Attack Hijacks 1B+ Sessions With Webkit Exploit

Researchers have discovered a new wave of attacks launched by the threat group eGobbler where victims are redirected to websites with malicious payloads. Security experts believe eGobbler was behind this year’s prolific Easter malvertising attack. This time, more than 1 billion ad impressions wer...

WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads

WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads VULNERABILITY DETAILS void DocumentWriter::replaceDocumentconst String& source, Document ownerDocument ... beginmframe-document-url, true, ownerDocument; // 1 // begin might fire an unload event, which will result in a situation where...

WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads Exploit

VULNERABILITY DETAILS void DocumentWriter::replaceDocumentconst String& source, Document ownerDocument ... beginmframe-document-url, true, ownerDocument; // 1 // begin might fire an unload event, which will result in a situation where no new document has been attached, // and the old document has...

WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads

VULNERABILITY DETAILS void DocumentWriter::replaceDocumentconst String& source, Document ownerDocument ... beginmframe-document-url, true, ownerDocument; // 1 // begin might fire an unload event, which will result in a situation where no new document has been attached, // and the old document has...

VulnCheck KEV: CVE-2019-8771

This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 13.0.1, iOS 13. Maliciously crafted web content may violate iframe sandboxing policy...

CVE-2019-1975

A vulnerability in the web-based interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to execute a cross-frame scripting XFS attack on an affected device. This vulnerability is due to insufficient HTML iframe protection. An attacker could exploit this vulnerabilit...

Hardcoded credentials

A vulnerability in the web-based interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to execute a cross-frame scripting XFS attack on an affected device. This vulnerability is due to insufficient HTML iframe protection. An attacker could exploit this vulnerabilit...