Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-hxw5-9cc5-cmw5: LibreNMS stored Cross-site Scripting vulnerability in poller group name

### LibreNMS v25.4.0 suffers from Stored Cross-Site Scripting (XSS) Vulnerability in the 'group name' parameter of the 'http://localhost/poller/groups' form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. ## ---------------------------------POC----------------------------- Before Setting: Enable 'distributed_poller' in http://localhost/settings/poller/distributed 1. Attacker creates a new poller group and injects the payload in the 'group name' parameter ``` payload: <script>alert('XSS')</script> ``` 2. Victim navigates to the 'http://localhost/addhost' to add a new host 3. The payload is executed code sink: https://github.com/librenms/librenms/blob/25.4.0/includes/html/pages/addhost.inc.php#L284

ghsa
Open in Source
#xss#vulnerability#web#git#php#auth
RVTools Official Site Hacked to Deliver Bumblebee Malware via Trojanized Installer

The official site for RVTools has been hacked to serve a compromised installer for the popular VMware environment reporting utility. "Robware.net and RVTools.com are currently offline. We are working expeditiously to restore service and appreciate your patience," the company said in a statement posted on its website. "Robware.net and RVTools.com are the only authorized and supported websites for

Firefox Tests AI-Powered Perplexity Search Engine Directly in Browser

Mozilla Firefox experiments with AI-powered Perplexity Search Engine in its address bar for version 139, signalling a potential…

Coordinated Intelligence: The Next Frontier for Onchain AI Agents

Disciplined, well-trained, and well-equipped, AI agents are digital soldiers. They operate independently to carry out their orders, working…

Who Even Is a Criminal Now?

WIRED loves a rogue. Except rogues ruined the internet. Is there any salvaging the rebellious spirit without destroying everything?

We 3D-Printed Luigi Mangione’s Ghost Gun. It Was Entirely Legal

In the wake of Luigi Mangione’s alleged killing of a health care CEO with a partially 3D-printed pistol, we built the exact same weapon ourselves—and test-fired it.

For Tech Whistleblowers, There’s Safety in Numbers

Amber Scorah and Psst are building a “digital safe” to help people shine a light on the bad things their bosses are doing, without getting found out.

Russia-Linked SpyPress Malware Exploits Webmails to Spy on Ukraine

ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail…

FBI Warns of AI Voice Scams Impersonating US Govt Officials

FBI has warned about a sophisticated vishing and smishing campaign using AI-generated voice memos to impersonate senior US…

How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes

The company behind the Signal clone used by at least one Trump administration official was breached earlier this month. The hacker says they got in thanks to a basic misconfiguration.