12 matches found
EUVD-2023-58005
Malicious code in bioql PyPI...
CVE-2023-5718
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...
CVE-2023-5718
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...
Code injection
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...
CVE-2023-5718
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...
CVE-2023-5718
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...
PostMessage Wildcard Target Origin Detected
Web applications relying on JavaScript often need to perform cross-origin communication between Window objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts...
Imperva Red Team Discovers Vulnerability in TikTok That Can Reveal User Activity and Information
TL;DR The Imperva Red Team discovered a vulnerability in TikTok, a popular social media platform with more than one billion users worldwide, that could allow attackers to monitor users activity on both mobile and desktop devices. This vulnerability, which has now been fixed, was caused by a windo...
Ghost CMS 4.3.2 - Cross-Origin Admin Takeover
Ghost is one of the most popular Node.js-based Content Management Systems CMS. According to the vendor, there are currently more than 2.5 million installs of it and the project has more than 38k stars on GitHub. During our research on open-source applications, we analyzed the code and found a...
BugPoC: DOM based Cross-site Scripting
Summary: The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities. Steps To Reproduce: Visit -...
WIN32 PostMessage API information leak
By using PostMessagehwnd, EMSETPASSWORDCHAR, 0, 0 it's possible to unmask password in dialog to copy it later via buffer. It alows to bypass WMGETTEXT protection...
Win32: Postmessage API security flaw
Hello, I would like to bring to your notice a certain vulnerability that has existed in Win 9x platforms for many years and now in Win2k/XP. Most of us our familiar with password revealers and password stealing trojans. Though flaws in Windows Messaging API have been show before this one relates ...