Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry

Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting XSS attacks. "The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure...

PostMessage Wildcard Target Origin Detected

Web applications relying on JavaScript often need to perform cross-origin communication between Window objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts...

Imperva Red Team Discovers Vulnerability in TikTok That Can Reveal User Activity and Information

TL;DR The Imperva Red Team discovered a vulnerability in TikTok, a popular social media platform with more than one billion users worldwide, that could allow attackers to monitor users activity on both mobile and desktop devices. This vulnerability, which has now been fixed, was caused by a windo...

SUSE CVE-2014-1346

WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, does not properly interpret Unicode encoding, which allows remote attackers to spoof a postMessage origin, and bypass intended restrictions on sending a message to a connected frame or window, via crafted characters in a URL...

XSS via postMessage to deface any website and account takeover

Description Hey Chatwoot team, while looking for vulnerabilities I found a critical XSS which allow us to XSS/Deface any website which uses the chat, this can be automated to attack thousands of websites Vulnerable Code Inside this function...

Khan Academy: xss due to incorrect handling of postmessages

Due to Insecure handling of create link tags a tags in a function called autolink found in 7Bmt.af733e428f9f986dfc96.js js e = n.autolinke, !0; const n = function const e = /\b?:?:https?://|www\d0,3.|a-z0-9.-+.a-z2,4/?:^\s&+|&|?:^\s|?:^\s+\+?:?:^\s|?:^\s+\|^\s!\;:'".,?«»“”‘’&/gi; return...

Malicious code in rc-postmessage (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3efaf8ce2d77ed7f18f8738560aeafd7abb05ba0520d5498241baca769bdbaab Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-5604 Malicious code in rc-postmessage (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3efaf8ce2d77ed7f18f8738560aeafd7abb05ba0520d5498241baca769bdbaab Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

TikTok: TikTok's pixel/sdk.js leaks current URL from websites using postMessage

A vulnerability was found where an oauth token could have been leaked due to an origin check bypass in the TikTok Pixel SDK. We thank @fransrosen for reporting this to our team...

GHSA-MR5M-2385-2VCP xdlocalstorage does not verify request origin

An issue was discovered in xdLocalStorage through 2.0.5. The postData function in xdLocalStoragePostMessageApi.js specifies the wildcard as the targetOrigin when calling the postMessage function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and...

xdlocalstorage does not verify request origin

An issue was discovered in xdLocalStorage through 2.0.5. The postData function in xdLocalStoragePostMessageApi.js specifies the wildcard as the targetOrigin when calling the postMessage function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and...

Cross-site Scripting (XSS)

reveal.js is vulnerable to cross-site scripting. The onmessage event listener in speaker-view.html does not properly check the origin of postMessage before being rendered on the webpage, allowing an attacker to inject and execute malicious javascript...

GHSA-HHQJ-CFJX-VJ25 Cross site scripting in reveal.js

The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can execute...

Cross site scripting in reveal.js

The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can execute...

Cross-site Scripting (XSS) - DOM in hakimel/reveal.js

Description The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can...

in mastodon/mastodon

Description The message event listener in embed.js does not check the origin of postMessage before changing the height of the embedded toots. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input id and height to code and now attacker is able to...

in slidevjs/slidev

Description Vulnerability: CSS injection and Limited XSS via postMessage While reading the code, I came across packages/client/iframes/monaco/index.ts file, where a message eventListener is being used. The callback function adds the content of message inside tag. This way, the attacker can post a...

GHSA-C6C4-JMQX-3R33 Open Redirect in xdLocalStorage

An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage function in xdLocalStorage.js specifies the wildcard as the targetOrigin when calling the postMessage function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages...

Open Redirect in xdLocalStorage

An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage function in xdLocalStorage.js specifies the wildcard as the targetOrigin when calling the postMessage function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages...

GHSA-W6V7-W58J-PG5R Improper Verification of Communication Channel in @theia/plugin-ext

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...