Schwere Lücken in Protons Web-App gefunden und gestopft - inside-it.ch https://www.inside-it.ch/schwere-luecken-in-protons-web-app-gefunden-und-gestopft-20230908 #CrossSiteScripting #XSS

HackRead: ProtonMail Code Vulnerabilities Leaked Emails https://www.hackread.com/protonmail-code-vulnerabilities-leak-emails/ #Vulnerability #Encryption #ProtonMail #Security #security #Privacy #Proton #XSS

Hacking GTA V RP Servers Using Web Exploitation Techniques
https://www.nullpt.rs/hacking-gta-servers-using-web-exploitation
#ycombinator #gta #gaming #hack #exploit #web #security #xss #fivem

Now that #Twitter is called #X they should also bring back #XSS (Cross Site Scripting)

I often wonder what #vulnerabilities are lurking in #Mastodon's frontend. Like, some kind of #XSS or other injection you could write in a post, and it would run on anyone who viewed it. And now that we can follow hashtags, it's so much worse: just add a popular hashtag to your attack post and it'll get in front of lots of people who've never heard of you.

La version anti-système-d'exploitation du #XSS pour les connaisseuses 😉

#DailyBloggingChallenge (19/25)

Did you know that most newsletters have a #RSS or #atom option? The benefit of RSS over a #newsletter is that you are on the more private side, since lots of individuals use their private #email and lots of forms even ask for your name. This (if ever leaked) provides attackers a great data packet to put on their #spam lists and once on such a list, it is hard to get off it.

One could argue on the other side that RSS is also not safe, since one is prone towards #XSS attacks, though this can be said of anything that has internet access. So one wouldn’t be better off if using email.

Thus when choosing a client, either for email or RSS feed, it is always better to opt for one that is not in the browser and sanitizes the message(s). Browser extensions are definitely a more lucrative attack option over operating system apps.

#security #privacy

SecurityOnline: XSSer – From XSS to RCE https://securityonline.info/xsser-xss-rce/ #WebExploitation #xsser #rce #XSS

We just released a fix for a bug that could potentially cause an #XSS vulnerability in the #Critters library that #Angular uses for CSS inlining.

If you're using #SSR with Angular v16.1+, please update Angular #Universal and Critters.

For more details:
https://blog.angular.io/notice-of-xss-issue-affecting-angular-universal-16-1-0-16-1-1-95dbae068f

For instance, I sub to SMBC comics. I don't allow smbc-comics.com in NoScript, but the interactive button on the comic page worked.

Eventually I realized that NewsBlur is apparently inlining the remote content and running it as if it were local to the app.

That basically means that #NewsBlur is not just vulnerable to #XSS, but deliberately abusing it to implement one of its features. Super dangerous.

Having seen that, I can no longer consider using NewsBlur.

2/2

I guess that if the only thing I log into in my mobile browser is my feed reader, I don't have too much to fear there about #XSS or #CSRF. Nobody is going to attack it, because there's no value in it. And it can't be used to steal anything else, because there isn't anything else.

#Bitwarden, like most cloud-based password managers, has a web vault.Imagine a stored #XSS on that. All your passwords stolen.

Thankfully, you probably aren't viewing untrusted content if you're an individual user (you put the data in yourself and now you're getting it back out). But for organization users, where you can see things created by someone else on your subscription? That could be possible.

SecurityAffairs: Zimbra fixed actively exploited zero-day CVE-2023-38750 in ZCS https://securityaffairs.com/148880/security/zimbra-fixed-2023-38750-zcs.html #ZimbraCollaborationSuite #informationsecuritynews #ITInformationSecurity #PierluigiPaganini #SecurityAffairs #CVE-2023-38750 #BreakingNews #SecurityNews #hackingnews #Security #Hacking #XSS

Imagine if there was a stored #XSS vulnerability in #Gmail. A bad guy would send a Gmail user a malicious email with some JS in it, and when you open the message, the script would run. It could read your Google login cookie and send it to the bad guy. Then they would take over your Google account. Just think of the carnage.

You know, if we really want to cut down on #XSS vulnerabilities, we need to quit putting a comment section on every dang site. Because the common case is user-submitted content that's rendered for a different user to view. #infosec

Zimbra Collaboration Suite warning: Patch this 0-day right now (by hand)! - Zimbra didn't actually say, "Do not delay/Do it today," but they did say, "We kindly requ... https://nakedsecurity.sophos.com/2023/07/14/zimbra-collaboration-suite-warning-patch-this-0-day-right-now-by-hand/ #vulnerability #dataloss #zeroday #zimbra #xss

SecurityWeek: Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability https://www.securityweek.com/hackers-target-reddit-alternative-lemmy-via-zero-day-vulnerability/ @news@lemmy.seedoubleyou.me #Vulnerabilities #Lemmy #XSS

So apparently #Lemmy collapsed and all federation is broken? A bit confused about the #XSS situation and why that would affect federation tho

Several #Lemmy instances have been #hacked due to an XSS vulnerability around custom emojis.

https://lemmy.world/post/1293336

The fix is underway and everything will be fine - technically. Now it’s interesting to find out if this has any legal consequences. Does running a social media node as a hobby project turn out to be more of a liability than anything else?

#infosec #xss

📬 Mastodon in Gefahr: Kritische Schwachstelle erlaubt Server-Übernahme
#ITSicherheit #Cure53 #Mastodon #OpenSource #RCE #RemoteCodeExecution #Sicherheitslücke #Sicherheitsupdate #XSS https://tarnkappe.info/artikel/it-sicherheit/mastodon-in-gefahr-kritische-schwachstelle-erlaubt-server-uebernahme-278307.html