Articles about xss

Poison pill

Aruba AirWave admin? Get the latest patch

Aruba AirWave systems need patching against multiple bugs in their control interface. Posted to Full Disclosure by SEC Consult, there are two problems with the kit: an XML External Entity Injection attack; and a reflected cross-site scripting (XSS) attack. Both can be exploited remotely. In CVE-2016-8526, the XML parser used …

'I found a bug that let anyone read anyone's Yahoo! Mail and all I got was this $10k check'

A security researcher says he bagged $10k after discovering and reporting a serious flaw in Yahoo! Mail that could have been exploited by crooks to read victims' messages. Jouko Pynnönen says he reported the vulnerability in Yahoo! Mail via bug-bounty organizers HackerOne. "The impact of the bug is similar to the one I …
John Leyden, 9 Dec 2016
Alan Turing (Benedict Cumberbatch) and the Bombe machine

Bletchley Park Trust vows to shore up insecure website

The Bletchley Park Trust has promised that a website revamp due in January will address security concerns highlighted by a security expert on Sunday. Paul Moore slammed the site, which was home of the WWII Enigma codebreakers, for all manner of security shortcomings including emailing password resets and vulnerabilities to the …
John Leyden, 29 Nov 2016
Image: Majivecka and Slobodan Djajic / Shutterstock

Google tries to cross out XSS attacks by releasing its own test tool

Google has spent more than US$1.2 million (£920,400, A$1.6 million) in the last two years paying researchers for reporting cross-site scripting (XSS) attacks and has kicked off an effort to help crush the threat. XSS attacks are one of the most pervasive and enduring web application security threats because they allow …
Darren Pauli, 27 Sep 2016

GoDaddy plugs account hijack XSS vulnerability

Domain registrar GoDaddy has patched a blind XSS vulnerability in its customer support that could have allowed access to GoDaddy accounts. Uber security man Matthew Bryant (@IAmMandatory) reported in a personal capacity the bug he says was located in an internal support panel. A payload he uploaded and then forgotten had …
Darren Pauli, 10 May 2016

Zen Cart admins: Don't skip version 1.5.5

If you missed the March 17-issued patch for shopping cart application Zen Cart, get busy, because among other things it fixed serious cross-site scripting (XSS) vulnerabilities. Trustwave, which turned up the bug last September, made it public last Friday. Zen Cart reckons the vulnerability was closed before it was exploited …
band_aid_patching_648

VMware vRealizes that vRealize has XSS bugs on Linux

A tricky Tuesday for VMware's vRealize products, which have received the first maintenance release for version 7 and also become the subject of a security alert. Let's do the alert first, as it explains that several vRealize products have a pair of cross-site-scripting bugs that could compromise a user's workstation. The mess …
Simon Sharwood, 16 Mar 2016
skull_648

Yahoo! Mail! Had! Nasty! XSS! Bug!

A stored XSS vuln in Yahoo! Mail has netted Finnish researcher Jouko Pynnönen of Klikki Oy a US$10,000 bug bounty. Pynnönen turned up the bug with a bit of old-fashioned brute force: he fed the system an HTML e-mail containing “all known HTML tags and attributes” to see what survived the Purple Palace's filters. What's …
PayPal inStore app in action

Unconfirmed PayPal 0day auth flaw lingers after XSS gets fixed

Two vulnerabilities in popular payments platform PayPal emerged this week. A cross-site scripting flaw affecting the web payment service was fixed last month, but another flaw is yet to be resolved. The unresolved vulnerability creates a means to bypass the security approval procedure and two-factor authentication applied by …
John Leyden, 4 Sep 2015
Marc Benioff of Salesforce. Pic: Techcrunch

Salesforce plugs silly website XSS hole, hopes nobody spotted it

A cross-site scripting (XSS) vulnerability on Salesforce's website might have been abused to pimp phishing attacks or hijack user accounts. Fortunately the bug has been resolved, apparently before it caused any harm. Cloud app and security firm Elastica said the issue affected a Salesforce sub-domain – admin.salesforce.com …
John Leyden, 14 Aug 2015

XSSposed launches pay-whatever bug bounty

Cross-site scripting war board XSSposed has opened a pay-whatever bug bounty to help its hackers earn cash and tee-shirts. Launched overnight, the program lets anyone register their interest in hearing about vulnerabilities for any web property. They then have the opportunity to pay researchers for the finding. Admins who …
Darren Pauli, 7 Jul 2015
band_aid_patching_648

US National Vulnerability Database contained ... yup, an XSS vuln

The US National Vulnerability Database was itself left vulnerable to cross-site scripting last week. The NVD serves as a definitive source of information on CVE security flaws. The XSS vulnerability meant that a skilled hacker could present surfers with content from arbitrary third-party sites as if it came from the NVD itself …
John Leyden, 18 Jun 2015
eBay

eBay year-long patch stall a little XSSive, researcher says

Clarified Security researcher Jaanus Kääp has disclosed a year-old cross-site scripting (XSS) bug in eBay's messaging service that lets attackers target victims through messages. The researcher says he reported the XSS three times over more than a year and says he is surprised to find the bug be describes as dangerous has as …
Darren Pauli, 30 Apr 2015
WordPress

Comments considered harmful: WordPress web hijack bug revealed

A frustrated Finnish security researcher has gone public with a vulnerability in WordPress that lets attackers hijack website admin accounts. The flaw was found by Jouko Pynnönen, and is a cross-site scripting (XSS) bug similar to one patched last week. It is buried within the widely used web publishing software's comments …
Iain Thomson, 27 Apr 2015
android tongue

Silent but violent: Foul Google Play flaw lets hackers emit smelly apps

A couple of related vulnerabilities on the Google Play Store have left Android users vulnerable to malware-slingers. Security watchers warn that an X-Frame-Options flaw – when combined with a recent Android WebView (Jelly Bean) bug – creates a means for hackers to silently install any app from the Google Play store. Tod …
John Leyden, 11 Feb 2015
Uber - living the dream

Taxi app Uber plugs 'privacy-threatening' web security flaw

Updated A potentially nasty XSS vulnerability discovered on the website of controversial ride-sharing service Uber has been fixed, according to the security researcher who reported the bug. The cross-site scripting vulnerability put visitors at risk of being compromised via theft of cookies, personal details, authentication …
John Leyden, 10 Dec 2014

Researcher details nasty XSS flaw in popular web editor

A tool that's popular with Microsoft's in-house developers, the RadEditor HTML editor, contains a dangerous cross-site scripting (XSS) vulnerability, researcher GS McNamara says. The editor was developed by Telerik and used in trusted in-house code in many big enterprises and across Redmond products including MSDN, CodePlex, …
Darren Pauli, 1 Oct 2014

Who.is does the Harlem Shake

Websites across the internet are doing the Harlem Shake after online comedians began exploiting cross site scripting (XSS) flaws that make pages dance and speakers blare. The flaws exist in the DNS text record – not the protocol – due to a lack of sanitation, and allowed internet scamps to turn boring websites like Who.is into …
Darren Pauli, 22 Sep 2014

Create a news alert about xss, or find more stories about xss.

Biting the hand that feeds IT © 1998–2017