HackDig : Dig high-quality web security articles for hackers

Selea Targa IP OCR-ANPR Camera Remote Stored XSS

Title: Selea Targa IP OCR-ANPR Camera Remote Stored XSS Advisory ID: ZSL-2021-5614 Type: Local/Remote Impact: Cross-Site Scripting Risk: (4/5) Release Date: 21.01.2021SummaryIP camera with optical character recognition (OCR) software for automaticnumber plate recognition
Publish At:2021-01-21 18:43 | Read:191 | Comments:0 | Tags: Xss

Undisclosed Apache Velocity XSS vulnerability impacts GOV sites

An undisclosed Cross-Site Scripting (XSS) vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA.Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project.Apache Velocity i
Publish At:2021-01-15 08:13 | Read:207 | Comments:0 | Tags:Security Software Xss Vulnerability

Stored XSS In Hyland's Enterprise Search

The admin console's event viewer displays logged event data inside of <pre></pre> tags. An attack string like "</pre><script>alert('hi')</script>" in any place across Enterprise Search that will cause an error, like instead of a number or for the username on the login page or through the new Federated Au
Publish At:2021-01-03 19:03 | Read:264 | Comments:0 | Tags: Xss

Rocket.Chat quietly patches XSS vulnerability

Rocket.Chat has quietly fixed a stored XSS vulnerability in the followingcommits:https://github.com/RocketChat/Rocket.Chat/commit/96d3155245ec65f681664b48b6dafc94c1ea021chttps://github.com/RocketChat/Rocket.Chat/commit/43fe12d775b2329e780a1369a1b2c25070cdcab9Exploitation of this vulnerability is very straightforward by manipulatinga message attachment to con
Publish At:2020-12-18 16:57 | Read:338 | Comments:0 | Tags: Xss Vulnerability

Reflected XSS in WordPress - DirectoriesPro 1.3.45 plugin disclosure

Title: Reflected XSS Product: WordPress DirectoriesPro Plugin by SabaiApps Vendor Homepage: https://directoriespro.com/ Vulnerable Version: 1.3.45 Fixed Version: 1.3.46 CVE Number: CVE-2020-29303 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com.au Timeline: 2020-11-26 Disclosed to Vendor2020-11-27 Vendor releases patched ve
Publish At:2020-12-11 17:15 | Read:183 | Comments:0 | Tags: Xss wordpress

Self-reflected XSS in WordPress DirectoriesPro 1.3.45 plugin disclosure.

Title: Self-reflected XSS Product: WordPress DirectoriesPro Plugin by SabaiApps Vendor Homepage: https://directoriespro.com/ Vulnerable Version: 1.3.45 Fixed Version: 1.3.46 CVE Number: CVE-2020-29304 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com.au Timeline: 2020-11-26 Disclosed to Vendor2020-11-27 Vendor releases patch
Publish At:2020-12-11 17:15 | Read:140 | Comments:0 | Tags: Xss wordpress

Stored cross-site scripting (XSS) in OpenAsset Digital Asset Management 11.2.1/12.0.19 disclosure

Title: Stored cross-site scripting (XSS) Product: OpenAsset Digital Asset Management by OpenAsset Vendor Homepage: https://www.openasset.com/ Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise) Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise) CVE Number: CVE-2020-28857 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com
Publish At:2020-12-11 17:15 | Read:117 | Comments:0 | Tags: Xss

Reflected cross-site scripting (XSS) in OpenAsset Digital Asset Management 11.2.1/12.0.19 disclosure

Title: Reflected cross-site scripting (XSS) Product: OpenAsset Digital Asset Management by OpenAsset Vendor Homepage: https://www.openasset.com/ Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise) Fixed Version: 12.0.22 (Cloud) 11.4.10 (On-premise) CVE Number: CVE-2020-28859 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.
Publish At:2020-12-11 17:15 | Read:160 | Comments:0 | Tags: Xss

Stored XSS in Online bus booking system

Dear Team,Please find attached POC and detailed information about the stored XSS.# Exploit Title: online bus booking system project using PHP MySQL - Storedcross-site scripting# Exploit Author: Krishna Yadav# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/14438/online-bus-booking-system-project-using-phpmysq
Publish At:2020-12-11 17:15 | Read:166 | Comments:0 | Tags: Xss

Expert discloses zero-click, wormable flaw in Microsoft Teams

Security expert disclosed technical details about a wormable, cross-platform flaw in Microsoft Teams that could allow stealth attacks. Security researcher Oskars Vegeris from Evolution Gaming has published technical details on a wormable, cross-platform vulnerability in the business communication platform Microsoft Teams. The flaw is a cross-site scrip
Publish At:2020-12-08 11:12 | Read:178 | Comments:0 | Tags:Breaking News Hacking hacking news information security news

TikTok fixed security issues that could have led one-click account takeover

TikTok has addressed a couple of security issues that could have been chained to led account takeover.  The first issue addressed by the social media platform is a reflected XSS security flaw that has been reported by the bug bounty hunter Muhammed “milly” Taskiran via the bug bounty platform HackerOne. The Cross-Site-Scripting flaw affecte
Publish At:2020-11-23 12:24 | Read:278 | Comments:0 | Tags:Breaking News Hacking Cross-Site Request Forgery (CSRF). Rem

XSS Vulnerability in Froala WYSIWYG HTML Editor

Recently, I had a brief look at the Froala WYSIWYG HTML Editor (v3.2.0) as there was a post about it on the Full Disclosure mailing list. When targeting a HTML Editor, I guess one of the first things that everybody does is to check for XSS vulnerabilities. So I tried the usual XSS payloads (a great resource for XSS payloads is the XSS cheat sheet by PortSwig
Publish At:2020-11-18 12:04 | Read:262 | Comments:0 | Tags:Misc Xss Vulnerability

Fancy Product Designer for WooCommerce - Stored XSS via SVG upload

## About Fancy Product Designer for WooCommerceFancy Product Designer for WooCommerce is a WordPress plugin which allows users to design custom products in a vendor's WooCommerce store. It is sold through the third-party marketplace "Envato Market" and boasts over 15,000 sales.## Stored XSS via SVG uploadFancy Product Designer for WooCommerce
Publish At:2020-11-17 16:03 | Read:278 | Comments:0 | Tags: Xss

Companies paid $4.2M bug bounties for XSS flaws in 2020

Cross-Site Scripting (XSS) issues are the most common vulnerabilities that received the highest amount of rewards on the HackerOne vulnerability reporting platform. Cross-Site Scripting (XSS) is the most common vulnerability type and received the highest amount of rewards on the HackerOne vulnerability reporting platform. XSS vulnerabilities accounted
Publish At:2020-10-31 18:23 | Read:535 | Comments:0 | Tags:Breaking News Hacking Reports Bug Bounty HackerOne platform

Bug Bounty Hunters Earned Over $4M for XSS Flaws Reported via HackerOne in 2020

This year, Cross-Site Scripting (XSS) continued to be the most common vulnerability type and received the highest amount of rewards on HackerOne, the hacker-powered vulnerability reporting platform says.In a report published this week, HackerOne reveals that XSS flaws accounted for 18% of all reported issues, and that the bounties companies paid for these bu
Publish At:2020-10-30 05:58 | Read:274 | Comments:0 | Tags:NEWS & INDUSTRY Vulnerabilities Xss hack

Tools

Tag Cloud