#zero_day

GHSA-jmpx-686v-c3wx: PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class

# Unauthorized Reflected XSS in the constructor of the `Downloader` class **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a XSS-type attack **Impact**: execution of arbitrary JavaScript code in the browser **Vulnerable component**: the constructor of the `Downloader` class **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the `name` and `type` variables **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the `Downloader` class) in Phpspreadsheet. ...

8 months ago

ghsa

Open in Source

#xss #vulnerability #web #git #java #php #auth #zero_day

GHSA-x88g-h956-m5xg: Phpspreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file

# Unauthorized Reflected XSS in `Convert-Online.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` script, an attacker can perform a XSS-type attack **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the quantity variable **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Convert-Online.php` file) in Php...

8 months ago

ghsa

Open in Source

#xss #csrf #vulnerability #web #git #java #php #auth #zero_day

VicOne and Zero Day Initiative (ZDI) to Lead Pwn2Own Automotive

8 months ago

DARKReading

Open in Source

#vulnerability #ios #android #js #git #zero_day

Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation

A recent claim that a critical zero-day vulnerability existed in the popular open-source file archiver 7-Zip has been met with skepticism from the software's creator and other security researchers.

8 months ago

HackRead

Open in Source

#vulnerability #web #windows #git #aws #buffer_overflow #zero_day

Cybersecurity Lags in Middle East Business Development

The fast growing region has its own unique cyber issues — and it needs its own talent to fight them.

8 months ago

DARKReading

Open in Source

#vulnerability #microsoft #ddos #dos #git #intel #acer #auth #zero_day

AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.

8 months ago

DARKReading

Open in Source

#vulnerability #web #ios #amazon #git #intel #acer #auth #zero_day

SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach

Palo Alto, Calif., USA, 30th December 2024, CyberNewsWire

8 months ago

HackRead

Open in Source

#web #mac #google #git #oauth #auth #zero_day #chrome

What Security Lessons Did We Learn in 2024?

Proactive defenses, cross-sector collaboration, and resilience are key to combating increasingly sophisticated threats.