Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182). An attacker can send an HTML-formatted email containing malicious JavaScript code embedded in an img tag. If the user opens the email in the MDaemon Email Server’s web interface, the malicious JavaScript code will execute in the context of the web browser window. This allows the […]

Alexander V. Leonov
Open in Source
#xss#vulnerability#web#java#blog
GHSA-2hj5-g64g-fp6p: Argo CD allows cross-site scripting on repositories page

### Impact This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. In `ui/src/app/shared/components/urls.ts`, the following code exists to parse the repository URL. https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/urls.ts#L14-L26 Since this code doesn't validate the protocol of repository URLs, it's possible to inject `javascript:` URLs here. https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/repo.tsx#L5-L7 As the return value of this function is used in the `href` attribute of the `a` tag, it's possible to achieve cross-site scripting by using `javascript:` URLs. Browsers may return the proper ho...

GHSA-3432-fmrf-7vmh: Chrome PHP is missing encoding in `CssSelector`

### Impact CSS Selector expressions are not properly encoded, which can lead to XSS (cross-site scripting) vulnerabilities. ### Patches This is patched in v1.14.0. ### Workarounds Users can apply encoding manually to their selectors, if they are unable to upgrade.

Vulnerabilities of Western logistics

Vulnerabilities of Western logistics. On May 21, Western intelligence agencies released joint advisory AA25-141A about attacks targeting infrastructure of Western logistics and tech companies. Alongside the usual Five Eyes, intelligence services from Germany, Czech Republic, Poland, Denmark, Estonia, France, and the Netherlands also contributed. The advisory blames Fancy Bear group, allegedly linked to Russian state […]

Everest Ransomware Leaks Coca-Cola Employee Data Online

Everest ransomware leaks Coca-Cola employee data: 1,104 files exposed, including HR, admin roles, IDs, personal details, and internal records.

SilverRAT Source Code Leaked Online: Here’s What You Need to Know

SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

Zimbra CVE-2024-27443 XSS Flaw Hits 129K Servers, Sednit Suspected

A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the…

May

May Linux Patch Wednesday. This time: 1091 vulnerabilities. Of those, 716 are in the Linux Kernel. 🤯 5 vulnerabilities are exploited in the wild: 🔻 RCE – PHP CSS Parser (CVE-2020-13756). In AttackerKB, an exploit exists.🔻 DoS – Apache ActiveMQ (CVE-2025-27533). In AttackerKB, an exploit exists.🔻 SFB – Chromium (CVE-2025-4664). In CISA KEV.🔻 PathTrav – […]

GHSA-m4hf-fxcg-cp34: DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline

Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.

GHSA-79m3-rvx2-3qq9: Reflected Cross-Site Scripting (XSS) in module actions in edit mode

A specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions.