Information Management Today

Russia-linked APT TAG-70 targets European government and military mail servers exploiting Roundcube XSS

Security Affairs

FEBRUARY 19, 2024

An APT group, tracked as TAG-70, linked to Belarus and Russia exploited XSS flaws in Roundcube webmail servers to target over 80 organizations. Researchers from Recorded Future’s Insikt Group identified a cyberespionage campaign carried out by an APT group, tracked as TAG-70, linked to Belarus and Russia.

Military

Military Government Access Risk

Zimbra zero-day exploited to steal government emails by four groups

Security Affairs

NOVEMBER 16, 2023

Google TAG revealed that threat actors exploited a Zimbra Collaboration Suite zero-day ( CVE-2023-37580 ) to steal emails from governments. The vulnerability is a reflected cross-site scripting (XSS) issue that resides in the Zimbra Classic Web Client, it impacts Zimbra Collaboration (ZCS) 8 before 8.8.15

Government

Government Authentication Phishing IT

Security Affairs newsletter Round 460 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs

FEBRUARY 25, 2024

Iran Crisis Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign U.S.

Military

Military Security Ransomware Insurance

Webinars

Peak Performance: Continuous Testing & Evaluation of LLM-Based Applications

MORE WEBINARS

Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks

Security Affairs

OCTOBER 25, 2023

In recent attacks, the group was observed exploiting a XSS vulnerability, tracked as CVE-2023-5631 , by sending a specially crafted email message. The analysis of the email HTML source code revealed the presence of a SVG tag at the end, which contains a base64-encoded payload. The messages were sent from team.managment@outlook[.]com

Military

Military Government Phishing IT

Zimbra fixed actively exploited zero-day CVE-2023-38750 in ZCS

Security Affairs

JULY 27, 2023

It was developed by Zimbra, Inc The vulnerability is reflected Cross-Site Scripting (XSS) that was discovered by Clément Lecigne of Google Threat Analysis Group (TAG). Google TAG researchers focus on identifying and countering advanced and persistent threats. Zimbra this week released version ZCS 10.0.2

Risk

Risk Security IT Information Security

XSS flaw in WordPress WP-Members Plugin can lead to script injection

Security Affairs

APRIL 2, 2024

In order to exploit this XSS, an attacker could intercept a registration request after filling out and submitting the registration form using a proxy. Then the attacker can modify the raw request to contain an X-Forwarded-For header set to a malicious payload enclosed in script tags. and fully patched in version 3.4.9.3.

Access

Access IT Information Security Security

Zimbra urges customers to manually fix actively exploited zero-day reported by Google TAG

Security Affairs

JULY 13, 2023

” The vulnerability is reflected Cross-Site Scripting (XSS) that was discovered by Clément Lecigne of Google Threat Analysis Group (TAG). Google TAG researchers focus on identifying and countering advanced and persistent threats. The fix is planned to be delivered in the July patch release.”

Authentication

Authentication Cloud Security IT

Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike

Security Affairs

OCTOBER 18, 2022

This can be exploited using an object tag, which in turn can load a malicious payload from a webserver, which is then executed by the Cobalt Strike client.” “Disabling automatic parsing of html tags across the entire client was enough to mitigate this behaviour.” ” reads the post published by HelpSystems.

IT

IT Security Information Security

Google TAG warns of Russia-linked APT groups targeting Ukraine

Security Affairs

APRIL 20, 2023

The researchers from Google TAG are warning of Russia-linked threat actors targeting Ukraine with phishing campaigns. Russia-linked threat actors launched large-volume phishing campaigns against hundreds of users in Ukraine to gather intelligence and aimed at spreading disinformation, states Google’s Threat Analysis Group (TAG).

Phishing

Phishing Military Ransomware Education

Google addressed an XSS flaw in Gmail

Security Affairs

NOVEMBER 18, 2019

Google addressed an XSS vulnerability in Gmail, the IT staff at Google defined the vulnerability as “awesome.” Bentkowski, Chief Security Researcher from security frim Securitum , found an XSS vulnerability in Gmail and responsibly disclosed it this week after Google has addressed it. . ” Micha? Pierluigi Paganini.

Security

Security IT Access Information Security

Millions of sites could be hacked due to flaws in popular WordPress plugins

Security Affairs

MARCH 19, 2021

Wordfence researchers discovered multiple stored cross-site scripting (XSS) flaws in the Elementor plugin, which collectively received a CVSS score of 6.4. The lack of server-side validation for HTML tags in Elementor elements (i.e. “Many of these elements offer the option to set an HTML tag for the content within. .

Authentication

Authentication Security Access IT

CISA adds bugs exploited by commercial surveillance spyware to Known Exploited Vulnerabilities catalog

Security Affairs

APRIL 1, 2023

Google TAG shared indicators of compromise (IoCs) for both campaigns. The experts pointed out that both campaigns were limited and highly targeted. The threat actors behind the attacks used both zero-day and n-day exploits in their exploits. The exploits were used to install commercial spyware and malicious apps on targets’ devices.

Cybersecurity

Cybersecurity Education Risk Security

Magento fixed security flaws that allow complete site takeover

Security Affairs

JULY 4, 2019

The attacker would first exploit a Stored Cross-Site Scripting (XSS) vulnerability to inject a JavaScript payload into the administrator backend of a Magento store. The XSS occurs when the sanitized links are processed via vsprintf(), an additional double quote is injected into the <i> tag allowing for an attribute injection.

Security

Security Authentication IT Information Security

WordPress Plugin Facebook Widget affected by authenticated XSS

Security Affairs

JULY 29, 2019

Security experts at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in Facebook Widget. Researchers at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in the Facebook Widget (Widget for Facebook Page Feeds). Pierluigi Paganini.

Authentication

Authentication Security IT Information Security

CSRF flaw in WordPress potentially allowed the hack of websites

Security Affairs

MARCH 14, 2019

” The above issue can become a security issue since administrators of a WordPress blog are allowed to use arbitrary HTML tags in comments, even <script> tags. Since the injected attribute is an onmouseover event handler, the attacker can make the iframe follow the mouse of the victim to instantly trigger the XSS payload.

Security

Security IT

Zero-day in popular Yuzo Related Posts WordPress Plugin exploited in the wild

Security Affairs

APRIL 12, 2019

The XSS flaw allows attackers to inject a JavaScript into the sites that redirect visitors to websites displaying scams, including tech support scams , and sites promoting unwanted software. Once deobfuscated, the script will create a new script tag with a source of [link] which will be injected into the head of the page.

Authentication

Authentication Security IT

GUEST ESSAY: Why online supply chains remain at risk — and what companies can do about it

The Last Watchdog

JUNE 30, 2021

Today’s websites integrate dozens of third-party service providers, from user analytics to marketing tags, CDNs , ads, media and these third-party services load their code and content into the browser directly. Due to optimized speeds and improved computing capacity on client devices, the architecture has evolved over the last few years.

IT

IT Risk Mining Analytics

100k+ WordPress sites exposed to hack due to a bug in Real-Time Find and Replace plugin

Security Affairs

APRIL 28, 2020

The vulnerability was discovered by Wordfence researchers, it is a Cross-Site Request Forgery flaw that could lead to Stored Cross-Site Scripting (Stored XSS) attacks. “An attacker could use this vulnerability to replace a HTML tag like with malicious Javascript. ” continues the report.

GDPR

GDPR Authentication IT Access

API Security 101 for Developers: How to Easily Secure Your APIs

ForAllSecure

MARCH 29, 2023

Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) attacks occur when an attacker injects malicious code into a web page that is viewed by other users. API-based XSS attacks involve exploiting vulnerabilities in the APIs used by web applications to fetch and display data.

Security

Security Authentication Passwords Encryption

Flaw in Evernote Web Clipper for Chrome extension allows stealing data

Security Affairs

JUNE 13, 2019

Security experts at browser security firm Guardio discovered a critical universal cross-site scripting (XSS) vulnerability in the Evernote Web Clipper for Chrome. Malicious website silently loads hidden, legitimate iframe tags (link) of targeted websites. ” reads a blog post published by Guardio.

Security

Security Access IT Information Security

Microsoft January 2019 Patch Tuesday updates fix 7 critical vulnerabilities

Security Affairs

JANUARY 9, 2019

Tag CVE ID CVE Title.NET Framework CVE-2019-0545.NET Tag CVE ID CVE Title.NET Framework CVE-2019-0545.NET Below there is the full list of vulnerabilities addressed by the Microsoft January 2019 Patch Tuesday. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Authentication

Authentication Security Cybersecurity Access

Microsoft May 2020 Patch Tuesday fixes 111 flaws, 13 Critical

Security Affairs

MAY 13, 2020

Below the full list of vulnerabilities addressed by Microsoft: Tag CVE ID CVE Title.NET Core CVE-2020-1161 ASP.NET Core Denial of Service Vulnerability.NET Core CVE-2020-1108.NET NET Core & NET Framework Denial of Service Vulnerability.NET Framework CVE-2020-1066.NET Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->.

Security

Security Access Information Security IT

Expert released PoC for Outlook for Android flaw addressed by Microsoft

Security Affairs

JUNE 23, 2019

The expert was sending some JavaScript code to his friends via email when he accidentally discovered the XSS issue that could allow an attacker to embed an iframe into the email. “With this in mind I tried inserting a script tag instead of an iframe into an email. This one is mine. ” explained the expert.

Mining

Mining Access Authentication Security

My Blog Now Has a Content Security Policy - Here's How I've Done It

Troy Hunt

FEBRUARY 1, 2018

However, you can add a CSP via meta tag and indeed that's what I originally did with the upgrade-insecure-requests implementation I mentioned earlier when I fixed the Disqus issue. However - and this is where we start getting into browser limitations - you can't use the report-uri directive in a meta tag.

IT

IT Security Libraries Analytics

Pwn2Own Tokyo 2019 -Day2: experts hacked Samsung Galaxy S10 and Xiaomi Mi9 phones and TP-Link AC1750 routers

Security Affairs

NOVEMBER 8, 2019

The experts exploited a cross-site scripting (XSS) vulnerability in the device’s NFC component to exfiltrate data by touching a specially crafted NFC tag. The team also received $30,000 for an exploit targeting the Xiaomi Mi9 phone via the NFC component. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Security

Security IT Information Security

IoT Cybersecurity: 5 Major Vulnerabilities and How to Tackle Them

Security Affairs

OCTOBER 13, 2020

Another issue with input is the cross-site scripting (XSS). To put in simple terms, it refers to the process of providing a web application with JavaScript tags on input. If such processes lack proper authentication steps, they could work as gateways for bigger problems. The purpose of the questionable input might differ.

IoT

IoT Cybersecurity Manufacturing Passwords

How to Prevent Web Attacks Using Input Sanitization

eSecurity Planet

APRIL 13, 2022

While advanced threat actors have more sophisticated approaches such as adversarial machine learning, advanced obfuscation , or even zero-day exploits , classic approaches such as SQL injection , XSS , RFI (remote file inclusion) , or directory traversal are still the most common attacks. Directory traversal. filename=image12.png”>

Cybersecurity

Cybersecurity Security Security awareness Encryption

A Pandora's Box: Unpacking 5 Risks in Generative AI

Thales Cloud Protection & Licensing

APRIL 17, 2024

Security researchers from Imperva described in a blog called XSS Marks the Spot: Digging Up Vulnerabilities in ChatGPT how they discovered multiple security vulnerabilities in OpenAI’s ChatGPT that, if exploited, would enable bad actors to hijack a user’s account.

Risk

Risk Artificial Intelligence Privacy Data collection

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Troy Hunt

NOVEMBER 14, 2017

The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS. In that module, we cover reflected XSS which relies on the premise of untrusted data in the request being reflected back in the response. The first thing that everybody tries is something similar to this: [link].

Analytics

Analytics Libraries IT Risk

The Mayhem for API Difference - A ZAP - Mayhem for API Scan Comparison

ForAllSecure

SEPTEMBER 7, 2022

It is tuned to APIs, so it doesn’t bother looking for things like XSS. Mayhem for API makes it easy to configure exclude/include lists for endpoints and groups of endpoints (that use OpenAPI tags). ZAP API scan is a script packaged with ZAP Docker images tuned for performing active scans against APIs. Conclusion.

Passwords

Passwords Authentication IT Security

The Mayhem for API Difference - A ZAP - API Scan Comparison

ForAllSecure

SEPTEMBER 7, 2022

It is tuned to APIs, so it doesn’t bother looking for things like XSS. Mayhem for API makes it easy to configure exclude/include lists for endpoints and groups of endpoints (that use OpenAPI tags). ZAP API scan is a script packaged with ZAP Docker images tuned for performing active scans against APIs. Conclusion.

Passwords

Passwords Authentication IT Security

Security Affairs newsletter Round 413 by Pierluigi Paganini – International edition

Security Affairs

APRIL 2, 2023

LockBit leaks data stolen from the South Korean National Tax Service Italy’s Data Protection Authority temporarily blocks ChatGPT over privacy concerns CISA adds bugs exploited by commercial surveillance spyware to Known Exploited Vulnerabilities catalog Hackers are actively exploiting a flaw in the Elementor Pro WordPress plugin Cyber Police of Ukraine (..)

Security

Security Artificial Intelligence Data breaches Ransomware

The Hacker Mind Podcast: Bug Bounty Hunters

ForAllSecure

NOVEMBER 13, 2020

So I would say primarily two and a half years, and I still don't do exercises that well, because I never look for XSSes. There's so many new attack surfaces that are beyond copy and pasting XSS payloads everywhere. Anyone want to tag along? Vamosi: So Stok quietly began amazing bug bounties wins.

Communications

Communications IT Security Mining

The Hacker Mind Podcast: Bug Bounty Hunters

ForAllSecure

NOVEMBER 12, 2020

So I would say primarily two and a half years, and I still don't do exercises that well, because I never look for XSSes. There's so many new attack surfaces that are beyond copy and pasting XSS payloads everywhere. Anyone want to tag along? Vamosi: So Stok quietly began amazing bug bounties wins.

Communications

Communications IT Security Mining

The Hacker Mind Podcast: Bug Bounty Hunters

ForAllSecure

NOVEMBER 12, 2020

So I would say primarily two and a half years, and I still don't do exercises that well, because I never look for XSSes. There's so many new attack surfaces that are beyond copy and pasting XSS payloads everywhere. Anyone want to tag along? Vamosi: So Stok quietly began amazing bug bounties wins.

Communications

Communications IT Security Mining

Report URI Just Won the Best Emerging Technology Award!

Troy Hunt

JUNE 8, 2018

Today, we're supporting hundreds of millions of reports every single day - many billions a month - and increasingly seeing some pretty big names send their CSP, HPKP, XSS, Expect-CT and Expect-Staple reports to us. Back in November, I joined him at the company and since then we've pushed out a heap of really neat features.

Marketing

Marketing Security IT

Best DevOps, Website, and Application Vulnerability Scanning Tools

eSecurity Planet

MARCH 9, 2023

Best Application Vulnerability Scanning Tool Criteria There are many website and application vulnerability scanning tools and most will detect common critical vulnerabilities listed in the OWASP top 10 such as SQL Injections (SQLi) or Cross-site Scripting (XSS).

Compliance

Compliance Cloud Security Authentication

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Troy Hunt

JANUARY 10, 2018

These are enormously useful for everything from blocking unauthorised external assets from being loaded into the page to prohibiting script tags from being injected to even fixing up content being insecurely embedded such as we saw with that commented out YouTube video.

Security

Security Government Encryption Risk

Russia-linked APT TAG-70 targets European government and military mail servers exploiting Roundcube XSS

Zimbra zero-day exploited to steal government emails by four groups

Webinars

Trending Sources

Security Affairs newsletter Round 460 by Pierluigi Paganini – INTERNATIONAL EDITION

Webinars

Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks

Zimbra fixed actively exploited zero-day CVE-2023-38750 in ZCS

XSS flaw in WordPress WP-Members Plugin can lead to script injection

Zimbra urges customers to manually fix actively exploited zero-day reported by Google TAG

Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike

Google TAG warns of Russia-linked APT groups targeting Ukraine

Google addressed an XSS flaw in Gmail

Millions of sites could be hacked due to flaws in popular WordPress plugins

CISA adds bugs exploited by commercial surveillance spyware to Known Exploited Vulnerabilities catalog

Magento fixed security flaws that allow complete site takeover

WordPress Plugin Facebook Widget affected by authenticated XSS

CSRF flaw in WordPress potentially allowed the hack of websites

Zero-day in popular Yuzo Related Posts WordPress Plugin exploited in the wild

GUEST ESSAY: Why online supply chains remain at risk — and what companies can do about it

100k+ WordPress sites exposed to hack due to a bug in Real-Time Find and Replace plugin

API Security 101 for Developers: How to Easily Secure Your APIs

Flaw in Evernote Web Clipper for Chrome extension allows stealing data

Microsoft January 2019 Patch Tuesday updates fix 7 critical vulnerabilities

Microsoft May 2020 Patch Tuesday fixes 111 flaws, 13 Critical

Expert released PoC for Outlook for Android flaw addressed by Microsoft

My Blog Now Has a Content Security Policy - Here's How I've Done It

Pwn2Own Tokyo 2019 -Day2: experts hacked Samsung Galaxy S10 and Xiaomi Mi9 phones and TP-Link AC1750 routers

IoT Cybersecurity: 5 Major Vulnerabilities and How to Tackle Them

How to Prevent Web Attacks Using Input Sanitization

A Pandora's Box: Unpacking 5 Risks in Generative AI

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

The Mayhem for API Difference - A ZAP - Mayhem for API Scan Comparison

The Mayhem for API Difference - A ZAP - API Scan Comparison

Security Affairs newsletter Round 413 by Pierluigi Paganini – International edition

The Hacker Mind Podcast: Bug Bounty Hunters

The Hacker Mind Podcast: Bug Bounty Hunters

The Hacker Mind Podcast: Bug Bounty Hunters

Report URI Just Won the Best Emerging Technology Award!

Best DevOps, Website, and Application Vulnerability Scanning Tools

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

Stay Connected