8 matches found
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with target="blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab. Details While most modern...
GHSA-XCXH-6CV4-Q8P8 HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with target="blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab. Details While most modern...
PT-2025-34325 · Npm · Hfs
Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with target=" blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab. Details While most modern...
CVE-2025-33014
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.4 uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the...
Security Bulletin: IBM JRS (Jazz Reporting Service) uses a web link with untrusted references to an external site.
Summary IBM JRS Jazz Reporting Service uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims' web browser. The web application produces links to untrusted...
Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Publishing uses a web link with untrusted references to an external site.
Summary When an user clicks a link to an external site, and that link has the target="blank" attribute, then the new site will be opened into a new tab or window, but will share its process with the original tab or window. The window.opener object stores information from the original window, so i...
CVE-2024-39727
IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims’ web browser...
The Secret Vulnerability Finance Execs are Missing
The Other Risk in Finance A few years ago, a Washington-based real estate developer received a document link from First American – a financial services company in the real estate industry – relating to a deal he was working on. Everything about the document was perfectly fine and normal. The odd...