Security
Headlines
HeadlinesLatestCVEs

Tag

#firefox

GHSA-vf6x-59hh-332f: Formwork has a cross-site scripting (XSS) vulnerability in Site title

### Summary The site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users. ### Impact The attack is widespread, leveraging what XSS can do. This will undoubtedly impact system availability. ### Patches - [**Formwork 2.x** (aa3e9c6)](https://github.com/getformwork/formwork/commit/aa3e9c684035d9e8495169fde7c57d97faa3f9a2) escapes site title from panel header navigation. ### Details By embedding "<!--", the source code can be rendered non-functional, significantly impacting system availability. However, the attacker would need admin privileges, making the attack more difficult to execute. ### PoC ![image](https://github.com/user-attachments/assets/8fc68f6f-8bc4-4b97-8b93-dee5b88a3fcf) 1. The page where the vulnerability was found, and the attack surface is the Title field. ![image](https://github.com/user-attachment...

ghsa
Open in Source
#xss#vulnerability#js#git#firefox
Angry Likho APT Resurfaces with Lumma Stealer Attacks Against Russia

Angry Likho APT resurfaces, targeting Russian and Belarusian organizations with Lumma Stealer malware via phishing attacks, stealing credentials, banking data, and more.

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Hackers Use Google Docs and Steam to Spread ACRStealer Infostealer

A new information-stealing malware, ACRStealer, is leveraging legitimate platforms like Google Docs and Steam to carry out its…

SecTopRAT bundled in Chrome installer distributed via Google Ads

Beware before downloading Google Chrome from a Google search, you might get more than you expected.

Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots

The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn how it…

Nearly a Year Later, Mozilla is Still Promoting OneRep

In mid-March 2024, KrebsOnSecurity revealed that the founder of the personal data removal service Onerep also founded dozens of people-search companies. Shortly after that investigation was published, Mozilla said it would stop bundling Onerep with the Firefox browser and wind down its partnership. But nearly a year later, Mozilla is still promoting it to Firefox users.

New ValleyRAT Malware Variant Spreading via Fake Chrome Downloads

Morphisec uncovers a new ValleyRAT malware variant with advanced evasion tactics, multi-stage infection chains, and novel delivery methods…

Russian UAC-0063 Targets Europe and Central Asia with Advanced Malware

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data…

Brave Desktop Browser Vulnerability Lets Malicious Sites Appear Trusted

A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. Learn…