Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

SilverRAT Source Code Leaked Online: Here’s What You Need to Know

SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

HackRead
Open in Source
#xss#web#mac#windows#git#java#wifi
Zimbra CVE-2024-27443 XSS Flaw Hits 129K Servers, Sednit Suspected

A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the…

May

May Linux Patch Wednesday. This time: 1091 vulnerabilities. Of those, 716 are in the Linux Kernel. 🤯 5 vulnerabilities are exploited in the wild: 🔻 RCE – PHP CSS Parser (CVE-2020-13756). In AttackerKB, an exploit exists.🔻 DoS – Apache ActiveMQ (CVE-2025-27533). In AttackerKB, an exploit exists.🔻 SFB – Chromium (CVE-2025-4664). In CISA KEV.🔻 PathTrav – […]

GHSA-m4hf-fxcg-cp34: DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline

Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.

GHSA-79m3-rvx2-3qq9: Reflected Cross-Site Scripting (XSS) in module actions in edit mode

A specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions.

GHSA-q53q-gxq9-mgrj: Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

GHSA-6p8w-pc35-mqv8: [clickstorm] SEO (cs_seo) TYPO3 extension Cross-site Scripting (XSS) vulnerability

Cross-site scripting (XSS) vulnerability in the [clickstorm] SEO (cs_seo) TYPO3 extension allows backend users to execute arbitrary script via the JSON-LD output.

GHSA-5j3w-5pcr-f8hg: Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

### Impact Rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. ### Patches The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` by using Twig's `EscaperRuntime` to properly escape HTML attributes in `ComponentAttributes`. If you use `symfony/ux-live-component`, you must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. ### Workarounds Until you can upgrade, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes. ### References GitHub repository: [symfony/ux](https://github.com/symfony/ux)

'Operation RoundPress' Targets Ukraine in XSS Webmail Attacks

A cyber-espionage campaign is targeting Ukrainian government entities with a series of sophisticated spear-phishing attacks that exploit XSS vulnerabilities.