Tag: xss
-
NDSS 2025 EvoCrawl: Exploring Web Application Code And State Using Evolutionary Search
SESSION Session 3C: Mobile Security ———– ———– Authors, Creators & Presenters: Xiangyu Guo (University of Toronto), Akshay Kawlay (University of Toronto), Eric Liu (University of Toronto), David Lie (University of Toronto) ———– PAPER EvoCrawl: Exploring Web Application Code and State using Evolutionary Search As more critical services move onto the web, it has become increasingly…
-
NDSS 2025 EvoCrawl: Exploring Web Application Code And State Using Evolutionary Search
SESSION Session 3C: Mobile Security ———– ———– Authors, Creators & Presenters: Xiangyu Guo (University of Toronto), Akshay Kawlay (University of Toronto), Eric Liu (University of Toronto), David Lie (University of Toronto) ———– PAPER EvoCrawl: Exploring Web Application Code and State using Evolutionary Search As more critical services move onto the web, it has become increasingly…
-
Kibana Vulnerabilities Expose Systems to SSRF and XSS Attacks
Elastic has released a security advisory addressing an origin validation error in Kibana that could expose systems to Server-Side Request Forgery (SSRF) attacks. The vulnerability, tracked as CVE-2025-37734, affects multiple versions of the popular data visualization and exploration platform and has prompted immediate patching across all affected deployments. CVE ID Vulnerability Affected Versions CVSS Score Fixed Versions…
-
NDSS 2025 YuraScanner: Leveraging LLMs For Task-driven Web App Scanning4+
SESSION Session 2B: Web Security Authors, Creators & Presenters: Aleksei Stafeev (CISPA Helmholtz Center for Information Security), Tim Recktenwald (CISPA Helmholtz Center for Information Security), Gianluca De Stefano (CISPA Helmholtz Center for Information Security), Soheil Khodayari (CISPA Helmholtz Center for Information Security), Glancarlo Pellegrino (CISPA Helmholtz Center for Information Security) PAPER YuraScanner: Leveraging LLMs for…
-
NDSS 2025 YuraScanner: Leveraging LLMs For Task-driven Web App Scanning4+
SESSION Session 2B: Web Security Authors, Creators & Presenters: Aleksei Stafeev (CISPA Helmholtz Center for Information Security), Tim Recktenwald (CISPA Helmholtz Center for Information Security), Gianluca De Stefano (CISPA Helmholtz Center for Information Security), Soheil Khodayari (CISPA Helmholtz Center for Information Security), Glancarlo Pellegrino (CISPA Helmholtz Center for Information Security) PAPER YuraScanner: Leveraging LLMs for…
-
NDSS 2025 YuraScanner: Leveraging LLMs For Task-driven Web App Scanning4+
SESSION Session 2B: Web Security Authors, Creators & Presenters: Aleksei Stafeev (CISPA Helmholtz Center for Information Security), Tim Recktenwald (CISPA Helmholtz Center for Information Security), Gianluca De Stefano (CISPA Helmholtz Center for Information Security), Soheil Khodayari (CISPA Helmholtz Center for Information Security), Glancarlo Pellegrino (CISPA Helmholtz Center for Information Security) PAPER YuraScanner: Leveraging LLMs for…
-
Pi-hole XSS CVE-2025-53533: kritische Sicherheitslücke entdeckt
Pi-hole XSS CVE-2025-53533. In der DNS-Software in der Weboberfläche. Der Template-Fehler im Webfrontend kann gravierende Folgen haben. First seen on tarnkappe.info Jump to article: tarnkappe.info/artikel/cyberangriffe/pi-hole-xss-cve-2025-53533-kritische-sicherheitsluecke-entdeckt-322254.html
-
Cisco Desk, IP, and Video Phones Vulnerable to Remote DoS and XSS Attacks
Multiple Cisco desk, IP, and video phones are at risk of remote denial-of-service (DoS) and cross-site scripting (XSS) attacks due to flaws in their Session Initiation Protocol (SIP) software. The weaknesses affect Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 models when they are registered to Cisco Unified Communications…
-
Cisco Desk, IP, and Video Phones Vulnerable to Remote DoS and XSS Attacks
Multiple Cisco desk, IP, and video phones are at risk of remote denial-of-service (DoS) and cross-site scripting (XSS) attacks due to flaws in their Session Initiation Protocol (SIP) software. The weaknesses affect Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 models when they are registered to Cisco Unified Communications…
-
CISA Warns of Actively Exploited Zero-Day XSS Flaw in Zimbra Collaboration Suite
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent alert concerning an actively exploited zero-day vulnerability in the Zimbra Collaboration Suite (ZCS). The flaw, identified as CVE-2025-27915, is a cross-site scripting (XSS) vulnerability that impacts the ZCS Classic Web Client. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/zimbra-zcs-flaw-cve-2025-27915/
-
CISA Warns of Actively Exploited Zero-Day XSS Flaw in Zimbra Collaboration Suite
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent alert concerning an actively exploited zero-day vulnerability in the Zimbra Collaboration Suite (ZCS). The flaw, identified as CVE-2025-27915, is a cross-site scripting (XSS) vulnerability that impacts the ZCS Classic Web Client. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/zimbra-zcs-flaw-cve-2025-27915/
-
CISA Alerts on Zimbra Collaboration Suite Zero-Day XSS Flaw Exploited in Ongoing Attacks
CISA has issued a warning about a new zero-day cross-site scripting (XSS) flaw in the Zimbra Collaboration Suite (ZCS). This vulnerability is already in use by attackers to hijack user sessions, steal data, and push malicious filters. Organizations running ZCS should move quickly to apply available fixes or follow guidance to limit risk. Overview of…
-
CISA Alerts on Zimbra Collaboration Suite Zero-Day XSS Flaw Exploited in Ongoing Attacks
CISA has issued a warning about a new zero-day cross-site scripting (XSS) flaw in the Zimbra Collaboration Suite (ZCS). This vulnerability is already in use by attackers to hijack user sessions, steal data, and push malicious filters. Organizations running ZCS should move quickly to apply available fixes or follow guidance to limit risk. Overview of…
-
CISA Alerts on Zimbra Collaboration Suite Zero-Day XSS Flaw Exploited in Ongoing Attacks
CISA has issued a warning about a new zero-day cross-site scripting (XSS) flaw in the Zimbra Collaboration Suite (ZCS). This vulnerability is already in use by attackers to hijack user sessions, steal data, and push malicious filters. Organizations running ZCS should move quickly to apply available fixes or follow guidance to limit risk. Overview of…
-
U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Synacor Zimbra Collaboration Suite (ZCS) flaw, tracked as CVE-2025-27915, to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-27915 is a stored XSS flaw in Zimbra Collaboration Suite (versions 9.010.1)…
-
Lectora Desktop and Online XSS Vulnerability Enables JavaScript Injection
A critical cross-site scripting (XSS) vulnerability affecting both Lectora Desktop and Lectora Online has been disclosed, enabling attackers to inject JavaScript through crafted URL parameters. Discovered by security researcher Mohammad Jassim and documented by the CERT® Coordination Center on September 22, 2025, this flaw poses a risk of client-side code execution, session hijacking, and user…
-
Reflected XSS Flaw Enables Attackers to Evade Amazon CloudFront Protection Using Safari
A recent bug bounty discovery has drawn attention to a browser-specific reflected Cross-Site Scripting (XSS) vulnerability on help-ads.target.com. This flaw was found to bypass Amazon CloudFront’s Web Application Firewall (WAF) protections but could only be exploited on the Safari browser. The finding highlights the importance of testing for diverse browser behaviors during security assessments. Discovery…
-
Web Application Firewall Bypassed via JS Injection with Parameter Pollution
In a recent autonomous penetration test, a novel cross-site scripting (XSS) bypass that sidesteps even highly restrictive Web Application Firewalls (WAFs). Security researchers uncovered a ASP.NET application protected by a rigorously configured WAF. Conventional XSS payloads”, breaking out of single-quoted JavaScript strings”, were promptly blocked. Yet by abusing HTTP parameter pollution, the team managed to…
-
Nagios Flaw Enables Remote Attackers to Run Arbitrary JavaScript via XSS
Nagios has addressed a significant cross-site scripting (XSS) vulnerability in its enterprise monitoring platform Nagios XI that could allow remote attackers to execute arbitrary JavaScript code in users’ browsers. The security flaw, discovered in the Graph Explorer feature, was patched in the 2024R2.1 release on August 12, 2024. The vulnerability was responsibly disclosed by security…
-
Lenovo-Chatbot-Lücke wirft Schlaglicht auf KI-Sicherheitsrisiken
Über eine Schwachstelle in Lenovos Chatbot für den Kundensupport ist es Forschern gelungen, Schadcode einzuschleusen.Der Chatbot ‘Lena” von Lenovo basiert auf GPT-4 von OpenAI und wird für den Kundensupport verwendet. Sicherheitsforscher von Cybernews fanden heraus, dass das KI-Tool anfällig für Cross-Site-Scripting-Angriffe (XSS) war. Die Experten haben eine Schwachstelle entdeckt, über die sie schädliche HTML-Inhalte generieren…
-
Lenovo chatbot breach highlights AI security blind spots in customer-facing systems
Enterprise-wide implications: While the immediate impact involved session cookie theft, the vulnerability’s implications extended far beyond data exfiltration.The researchers warned that the same vulnerability could enable attackers to alter support interfaces, deploy keyloggers, launch phishing attacks, and execute system commands that could install backdoors and enable lateral movement across network infrastructure.”Using the stolen support agent’s…
-
Lenovo-Chatbot Lena Kritische XSS-Schwachstellen offenbaren fatale Sicherheitslücken in KI-Implementierungen
Lenovo wollte mit seinem KI-Chatbot Lena eigentlich den Kundenservice modernisieren. Stattdessen öffnete die digitale Assistentin ein Einfallstor für Angriffe, die bis hin zum Diebstahl sensibler Daten und der Kompromittierung interner Systeme reichen konnten. Cybernews-Forscher entdeckten gleich mehrere kritische XSS-Schwachstellen, die ein erschreckendes Licht auf den Umgang mit Sicherheit in KI-gestützten Services werfen. Ein einziger Prompt…
-
WAF Protections Bypassed via JS Injection and Parameter Pollution for XSS Attacks
A groundbreaking security research has revealed that parameter pollution techniques combined with JavaScript injection can bypass 70% of modern Web Application Firewalls (WAFs), raising serious concerns about the effectiveness of current web security defenses. Security researchers conducting autonomous penetration testing discovered a sophisticated method to circumvent WAF protections by exploiting fundamental differences in how web applications…
-
SonicWall Urges Patch After 3 Major VPN Vulnerabilities Disclosed
watchTowr’s latest research details critical SonicWall SMA100 flaws (CVE-2025-40596, 40597, 40598). Discover how pre-auth stack/heap overflows and XSS put SSL-VPNs at risk. Patch now! First seen on hackread.com Jump to article: hackread.com/sonicwall-patch-after-3-vpn-vulnerabilities-disclosed/
-
Why React Didn’t Kill XSS: The New JavaScript Injection Playbook
React conquered XSS? Think again. That’s the reality facing JavaScript developers in 2025, where attackers have quietly evolved their injection techniques to exploit everything from prototype pollution to AI-generated code, bypassing the very frameworks designed to keep applications secure.Full 47-page guide with framework-specific defenses (PDF, free).JavaScript conquered the web, but with First seen on thehackernews.com…
-
Law Enforcement Cracks Down on XSS, but Will It Last?
The arrest of a suspected administrator for the popular cybercrime forum was one of several enforcement actions in the past week targeting malicious activity. First seen on darkreading.com Jump to article: www.darkreading.com/threat-intelligence/law-enforcement-cracks-down-xss
-
Breach Roundup: Suspected XSS Cybercrime Forum Admin Arrested
Also: Clorox Sues IT Vendor Over Password Blunder. This week, XSS forum admin arrested, Clorox sued Cognizant, Lumma Stealer is back, NY regulates water, U.S. maritime cybersecurity rules in effect, new Coyote banking Trojan, a hacker nabbed details of Mexico City auxiliary police, Latin America cyberattacks, and World Leaks stole synthetic data. First seen on…
-
Key Operator of World’s Largest XSS Dark Web Platform Detained
International law enforcement agencies have dismantled one of the world’s most influential Russian-speaking cybercrime platforms following the arrest of its suspected administrator in a coordinated operation spanning France, Ukraine, and broader European cooperation. The takedown of xss.is represents a significant blow to global cybercriminal networks that have operated with relative impunity on the dark web…
-
Suspected admin of major dark web cybercrime forum arrested in Ukraine
French law enforcement said the alleged administrator of the long-running cybercrime forum XSS, formerly known as DaMaGeLab, was arrested in Ukraine. First seen on therecord.media Jump to article: therecord.media/suspected-xss-cybercrime-marketplace-admin-arrested