Two security vulnerabilities — one a privilege-escalation problem and the other a stored XSS bug — afflict a WordPress plugin with 40,000 installs.
The high-severity cross-site scripting flaws could allow remote-code injection on QNAP NAS systems.
The most-rewarded flaw is XSS, which is among those that are relatively cheap for organizations to identify.
A sophisticated “browser locker” campaign is spreading via Facebook, ultimately pushing a tech-support scam. The effort is more advanced than most, because it involves exploiting a cross-site scripting (XSS) vulnerability on a popular news site, researchers said. Browser lockers are a type of redirection attack where web surfers will click on a site, only to
Team Showcase, a sister plugin, is also vulnerable to the XSS and PHP object-injection bugs — together they have 66,000 installs.
Five critical cross-site scripting flaws were fixed by Adobe in Experience Manager as part of its regularly scheduled patches.
A researcher discovered a cross-site scripting flaw in Google Map’s export function, which earned him $10,000 in bug bounty rewards.
An attacker can execute remote code with no user interaction, thanks to CVE-2020-3495.
The cross-site scripting flaw could enable arbitrary code execution, information disclosure – and even account takeover.
An XSS bug and a PHP object-injection vulnerability are present in a plugin used by hundreds of thousands of websites.