Dotnetnuke 3.1.x < 9.6.0 / 5.0.x < 9.6.0 / 6.0.x < 9.6.0 / 7.0.x < 9.6.0 Multiple Vulnerabilities (09.06.00)

According to its self-reported version, the instance of Dotnetnuke running on the remote web server is 3.1.x prior to 9.6.0, 5.0.x prior to 9.6.0, 6.0.x prior to 9.6.0, or 7.0.x prior to 9.6.0. It is, therefore, affected by multiple vulnerabilities. - Modules that were discarded to the recycle bi...

U.S. Dept Of Defense: Improper Neutralization of Input During Web Page Generation

Summary: Cross-site scripting XSS vulnerabilities occur when: 1. Untrusted data enters a web application, typically from a web request. 2. The web application dynamically generates a web page that contains this untrusted data. Description: Impact Once the malicious script is injected, the attacke...

Supply-Chain Attack against the Electron Development Platform

Electron is a cross-platform development system for many popular communications apps, including Skype, Slack, and WhatsApp. Security vulnerabilities in the update system allows someone to silently inject malicious code into applications. From a news article: At the BSides LV security conference o...

Acunetix Web Application Vulnerability Report 2019

Acunetix compiles an annual web application vulnerability report. The purpose of this report is to provide security experts and interested parties with an analysis of data on vulnerabilities gathered over the previous year. The 2019 report contains the results and analysis of vulnerabilities,...

WhatWeb v0.4.9 - Next Generation Web Scanner

WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems CMS, blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700...

Attackers Use Typo-Squatting To Steal npm Credentials

Hackers seeking developer credentials used typo-squatting to spread malicious code via libraries hosted at the online repository npm. In all, 40 npm packages were found malicious and removed from the Node.js package management registry, according to npm. The attack involved a user named HackTask...

Gratipay: CSP Policy Bypass and javascript execution

Content Security Policy CSP is a computer security standard introduced to prevent cross-site scripting XSS, clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. CSP provides a standard method for website owners to declare...

LocalTapiola: DOM XSS bypassing in Regional Office -selector

Issue A previous report https://hackerone.com/reports/127077 led the reporter to do some further investigation. During the investigation, a DOM XSS was found in one of the javascript libraries used on www.lahitapiola.fi. The report contained a brief PoC and a screenshot as proof. Fix The issue wa...

wig - WebApp Information Gatherer

wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications. The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. This results in a score being...