#web

# Unauthorized Reflected XSS in the `Accounting.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a XSS-type attack **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` file **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the currency variable **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Accounting.php` file) ...

# Unauthorized Reflected XSS in the constructor of the `Downloader` class **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a XSS-type attack **Impact**: execution of arbitrary JavaScript code in the browser **Vulnerable component**: the constructor of the `Downloader` class **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the `name` and `type` variables **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the `Downloader` class) in Phpspreadsheet. ...

Invitations to try a beta lead to a fake game website where victims will get an information stealer instead of the promised game

# Unauthorized Reflected XSS in `Convert-Online.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` script, an attacker can perform a XSS-type attack **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the quantity variable **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Convert-Online.php` file) in Php...

The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated arbitrary content injection vulnerability in the webServerDeviceLabelUpdate.php script due to a lack of input validation. Authenticated attackers can exploit the 'deviceLabel' POST parameter to write arbitrary content to a fixed file location at /usr/local/aam/etc/deviceLabel, potentially causing a denial of service.

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated reflected cross-site scripting vulnerability in the 'title' GET parameter. Input is not properly sanitized before being returned to the user, allowing the execution of arbitrary HTML/JS code in a user's browser session in the context of the affected site. While the factory test scripts included in the upgrade bundle are typically deleted, a short window for exploitation exists when the device is in the manufacturing phase.

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated blind command injection vulnerability. Input passed to the serial and ManufactureDate POST parameters is not properly sanitized, allowing attackers to execute arbitrary shell commands on the system. While factory test scripts included in the upgrade bundle are typically deleted, a short window for exploitation exists when the device is in the manufacturing phase.

The Christmas Eve compromise of data-security firm Cyberhaven's Chrome extension spotlights the challenges in shoring up third-party software supply chains.

A network of Facebook pages has been advertising “fuel filters” that are actually meant to be used as silencers, which are heavily regulated by US law. Even US military officials are concerned.