17 matches found
EUVD-2022-1905
Malicious code in bioql PyPI...
CVE-2022-24349
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attac...
CSV Code Injection
CSV code injection is an attack scenario, where untrusted user input is written to a CSV file and leads to the execution of code formulas when the file is consumed by an external application e.g. Microsoft Excel or Google Sheets. As a result, this may lead to Data Exfiltration or Remote Code...
CVE-2021-35440
Smashing 1.3.4 is vulnerable to Cross Site Scripting XSS. A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can then steal data available in the session/cookies depending on the user environment e.g. if re-using internal URL's for...
CVE-2021-35440
Smashing 1.3.4 is vulnerable to Cross Site Scripting XSS. A URL for a widget can be crafted and used to execute JavaScript on the victim's computer. The JavaScript code can then steal data available in the session/cookies depending on the user environment e.g. if re-using internal URL's for...
Europol Shuts Down 'Imminent Monitor' RAT Operations With 13 Arrests
In a coordinated International law enforcement operation, Europol today announced to shut down the global organized cybercrime network behind Imminent Monitor RAT, yet another hacking tool that allows cybercriminals to gain complete control over a victim's computer remotely. The operation targete...
GrandSoft Exploit Kit Landing Page
GrandSoft exploit kit is a web exploit kit that operates by delivering malicious payload to the victim's computer. Successful infection will allow the attacker to download additional malware to the target...
Design/Logic Flaw
In the uncurlwsaccept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation accepting an arbitrary substring match for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full...
Magnitude Exploit Kit Redirection
Magnitude exploit kit is a web exploit kit that operates by delivering malicious payload to the victim's computer. Remote attackers can infect users with Magnitude exploit kit by enticing them to visit a malicious web page. Successful infection will allow the attacker to perform Remote Code...
RIG Exploit Kit Landing Page
RIG exploit kit is a web exploit kit that operates by delivering malicious payload to the victim's computer. Successful infection will allow the attacker to download additional malware to the target...
HanJuan Exploit Kit Landing Page (CVE-2015-0313)
HanJuan exploit kit is a web exploit kit that operates by delivering malicious payload to the victim's computer. Remote attackers can infect users with HanJuan exploit kit by enticing them to visit a malicious web page. Successful infection will allow the attacker to perform Remote Code Execution...
BlackHole Toolkit v2 EXE Payload Stage Code Execution
Blackhole is a web exploit kit that operates by delivering malicious payload to the victim's computer...
OpenText First Class Client 11.005 Code Execution
Exploit Title: OpenText FirstClass Client Delayed Code Executiion Date: Discovered 11/16/2010, Contacted OpenText 2/1/11 and 2/7/11, Released 4/11/2011 Author: Kyle Ossinger www.k0ss.net Email: [email protected] Software Link:...
Dangling pointer vulnerability in nsTreeContentView — Mozilla
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an error in the way elements are inserted into a XUL tree . In certain cases, the number of references to an element is under-counted so that when the element is deleted, a live pointer to its old location is kept arou...
Arbitrary code execution via Flash Player dynamic module unloading — Mozilla
An anonymous security researcher reported via TippingPoint's Zero Day Initiative that insufficient checks were being performed to test whether the Flash module was properly dynamically unloaded. The researcher demonstrated that a SWF file which dynamically unloads itself from an outside JavaScrip...
Crash and remote code execution via __proto__ tampering — Mozilla
Mozilla developer Jesse Ruderman demonstrated that by tampering with the window.proto.proto object, one can cause the browser to place a lock on a non-native object, leading to a crash. Although we have not demonstrated such control, a determined attacker might be able to exploit this crash to ru...
Arbitrary file upload via originalTarget and DOM Range — Mozilla
Opera Software reported a vulnerability which allows malicious content to force the browser into uploading local files to the remote server. This could be used by an attacker to steal files from known locations on a victim's computer...