Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight

Regular readers of our monthly ransomware review read our April edition here know that Ransomware-as-a-Service RaaS gangs have been making headlines globally with their disruptive attacks on organizations. Sometimes, though, its not enough to merely know about of the problem. In order to truly...

PT-2023-21172 · Sap · Sap Diagnostic Agent

Name of the Vulnerable Software and Affected Versions: SAP Diagnostics Agent version 720 Description: The EventLogServiceCollector of SAP Diagnostics Agent is affected by missing authentication and input sanitization of code, allowing an attacker to execute malicious scripts on all connected...

CVE-2023-29016

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts int...

CVE-2023-29016 Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts int...

WordPress Plugin DupeOff 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting vulnerabilit...

CVE-2023-22249 Adobe Commerce Stored XSS Arbitrary code execution

Adobe Commerce versions 2.4.4-p2 and earlier and 2.4.5-p1 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s...

PT-2023-14764 · Fabian Von Allmen · Wp Calendar

Name of the Vulnerable Software and Affected Versions: Fabian von Allmen WP Calendar plugin versions prior to 1.5.4 Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability. This type of vulnerability allows an attacker to inject malicious scripts into content from...

PT-2023-16176 · Talent · Talent Software Unis

Name of the Vulnerable Software and Affected Versions: Talent Software UNIS versions prior to 28376 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Reflected XSS. This can be exploited by injecting...

Tags Cloud Manager <= 1.0.0 - Reflected XSS

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against ??? high privilege users such as admin|only unauthenticated users...

Cross Site Scripting (XSS) in Assets

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the "Display title" Input. PoC alertdocument.location Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website...

CVE-2022-45441

A cross-site scripting XSS vulnerability in Zyxel NBG-418N v2 firmware versions prior to V1.00AARP.13C0, which could allow an attacker to store malicious scripts in the Logs page of the GUI on a vulnerable device. A successful XSS attack could force an authenticated user to execute the stored...

CVE-2022-39060

ChangingTech MegaServiSignAdapter component has a vulnerability of improper input validation. An unauthenticated remote attacker can exploit this vulnerability to access and modify HKEYCURRENTUSER subkey ex: AutoRUN in Registry where malicious scripts can be executed to take control of the system...

PT-2023-16016 · Unknown · Usememos/Memos

Name of the Vulnerable Software and Affected Versions: usememos/memos versions prior to 0.10.0 Description: The issue is related to Cross-site Scripting XSS - Stored, which occurs in the GitHub repository usememos/memos. This type of attack allows an attacker to inject malicious scripts into a...

Adobe Experience Manager 跨站脚本漏洞

Adobe Experience Manager AEM is a content management solution from Adobe that can be used to build websites, mobile applications and forms. The solution supports mobile content management, marketing and sales campaign management, and multi-site management, etc. A cross-site scripting vulnerabilit...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via maliciously crafted data URIs, due to improper user input sanitization in the scrubattribute function. PoC ruby def testsanitizedataprotocol text = '- XSS- XSS' scopeallowedtags %wiframe do...

Cross site scripting

Cross-site Scripting XSS is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application...

CVE-2022-3853 Supra CSV <= 4.0.3 - Stored Cross-Site Scripting via CSRF

Cross-site Scripting XSS is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application...

PT-2022-24438 · WordPress +1 · Supra-Csv-Parser

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: Cross-site Scripting XSS is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by...

Reflect Cross Site Scripting

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept Go to your web phpmyfaq and visit below URL. Exploit URL:...