Malicious code in briantreehttp (npm)

briantreehttp is a typosquatting package impersonating braintreehttp, the HTTP client library published by Braintree/PayPal. The package bundles the legitimate library source to appear functional while hiding a credential-theft payload in index1.js, which is executed at install time via the...

Malicious code in erslove (npm)

erslove is a typosquatting package impersonating resolve, the module resolution library implementing require.resolve semantics. The package bundles the legitimate resolve source and test fixtures to appear functional while hiding a credential-theft payload in index1.js, executed at install time v...

MAL-2026-3645 Malicious code in dit-envv (npm)

dit-envv is a typosquatting package impersonating dotenv, the widely-used environment variable loader. The package bundles the legitimate dotenv source and documentation to appear functional while hiding a credential-theft payload in index1.js, executed at install time via the postinstall script...

MAL-2026-3646 Malicious code in erslove (npm)

erslove is a typosquatting package impersonating resolve, the module resolution library implementing require.resolve semantics. The package bundles the legitimate resolve source and test fixtures to appear functional while hiding a credential-theft payload in index1.js, executed at install time v...

MAL-2026-3647 Malicious code in haswons (npm)

haswons is a typosquatting package impersonating hasown, the utility for checking whether an object has a direct own property. The package bundles the legitimate hasown source to appear functional while hiding a credential-theft payload in index1.js, executed at install time via the postinstall...

U.S. Dept Of Defense: Reflected XSS in `Telerik.ReportViewer.axd` with F5 BIG-IP ASM Bypass on `████`

A reflected cross-site scripting XSS vulnerability was discovered in the Telerik.ReportViewer.axd endpoint on the staging subdomain. The vulnerability was exploited by leveraging an unsupported event handler that was not filtered by the F5 BIG-IP Application Security Manager ASM WAF. An obfuscate...

SQL Server Reporting Services (SSRS) ViewState Deserialization

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SQL Server Reporting Services SSRS ViewState Deserialization', 'Description' = %q A vulnerability exists within Microsoft's SQL Server Reporting...

Sitefinity 7.1.x < 7.1.5240.0 Multiple Vulnerabilities

The version of Sitefinity installed on the remote host is affected by multiple vulnerabilities : - An XSS vulnerability in Telerik.ReportViewer affects versions 4.2 through 11.0 CVE-2017-9140 - An XSS vulnerability in?Identity Server affects versions 10.0 through 11.0 CVE-2018-17053, CVE-2018-170...

Sitefinity 8.0.x < 8.0.5770.0 Multiple Vulnerabilities

The version of Sitefinity installed on the remote host is affected by multiple vulnerabilities : - An XSS vulnerability in Telerik.ReportViewer affects versions 4.2 through 11.0 CVE-2017-9140 - An XSS vulnerability in?Identity Server affects versions 10.0 through 11.0 CVE-2018-17053, CVE-2018-170...

CVE-2017-9140

Cross-site scripting XSS vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 11.0.17.406 allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd...

Cross-Site Scripting &#40;XSS&#41; in Microsoft ReportViewer Controls

================================================== Cross-Site Scripting XSS in Microsoft ReportViewer Controls Adam Bixby - Gotham Digital Science [email protected] Public Release Date: 8/9/2011 Confirmed Affected Software: Microsoft Report Viewer Redistributable 2005 SP1 and Microsoft Visual...