467 matches found
Google Chromium Network Service Use-After-Free Vulnerability
Google Chromium Network Service contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsof...
Security Bulletin: Vulnerability in SSLv3 affects TS3100/TS3200 (CVE-2014-3566)
Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption POODLE attack. SSLv3 is enabled in TS3100/TS3200. Vulnerability Details CVE-ID : CVE-2014-3566 DESCRIPTION : Product could allow a remote attacker to obtain sensitive information...
Security Bulletin: Vulnerability in SSLv3 affects TS3100/TS3200 (CVE-2014-3566)
Summary Security Bulletin: Vulnerability in SSLv3 affects TS3100/TS3200 CVE-2014-3566 Vulnerability Details Security Bulletin --- Summary --- SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption POODLE attack. SSLv3 is enabled in...
From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significa...
CVE-2023-0937 VK All in One Expansion Unit < 9.87.1.0 - Reflected XSS
The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2023-0937 VK All in One Expansion Unit < 9.87.1.0 - Reflected XSS
The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
Important: python-lxml
Issue Overview: A Cross-site Scripting XSS vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The...
Researchers Share New Insights Into RIG Exploit Kit Malware's Operations
The RIG exploit kit EK touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal. "RIG EK is a financially-motivated program that has been active since 2014," Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News...
ChromeLoader Malware Targeting Gamers via Fake Nintendo and Steam Game Hacks
A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk VHD files, marking a deviation from the ISO optical disc image format. "These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games...
Deliver Faster Downloads for Better Browsing, Part 4 of 5
Web browsers read HTML, CSS, and JavaScript code as well as video, images, and SVG files, then use that data to build and render a web page...
VK All in One Expansion Unit < 9.87.1.0 - Reflected XSS
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers PoC Make a logged in admin open the below URL using web browser which does not encode characters...
CVE-2023-25653 Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a...
CVE-2023-25653
CVE-2023-25653 affects the node-jose library (JOSE for web browsers and Node.js) when using the non-default fallback crypto backend. The root cause is an infinite loop in ECC-related calculations due to how the modular inverse result from the jsbn library can be negative, which breaks the Barrett...
CVE-2023-25653 Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a...
SUSE CVE-2004-0595
The striptags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null \0 characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and...
SUSE CVE-2012-3992
Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly manage history data, which allows remote attackers to conduct cross-site scripting XSS attacks or obtain sensitive POST content via...
Italian Users Warned of Malware Attack Targeting Sensitive Information
A new malware campaign has been observed targeting Italy with phishing emails designed to deploy an information stealer on compromised Windows systems. "The info-stealer malware steals sensitive information like system info, crypto wallet and browser histories, cookies, and credentials of crypto...
Cookie Session Not Expiring Even After Deleting the users
Description The session is not expiring in another browser if we delete the user. Proof of Concept 1. Create two users with an admin role for the POC 2. Login in two different browsers Firefox user A and Chrome user B respectively 3. Go the settings-users and delete user B from user A Firefox...
Ukraine's DELTA Military System Users Under Attack from Info Stealing Malware
The Computer Emergency Response Team of Ukraine CERT-UA this week disclosed that users of the Delta situational awareness program received phishing emails from a compromised email account belonging to the Ministry of Defense. The attacks, which have been attributed to a threat cluster dubbed...
Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy
The Mozilla Foundation Security Advisory describes this flaw as: When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec...