All news with #cross site scripting tag

⚠️ A cross-site scripting vulnerability (CWE-79, CVSS v3 5.3) affects multiple Kieback & Peter DDC Building Controllers and can enable execution of arbitrary JavaScript in a victim's browser, potentially allowing attacker control of web sessions. Affected models include end-of-maintenance units (DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400) and e-series controllers (DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e). The vendor advises isolating legacy devices, restricting and disabling web access where possible, and updating e-series firmware to the specified versions (e.g., DDC520 -> 1.24.2; DDC4002e/DDC4200e/DDC4400e/DDC4020e/DDC4040e -> 1.23.5) while implementing defense-in-depth controls.

⚠️Microsoft has warned of a zero-day cross-site scripting vulnerability in Exchange Outlook Web Access (OWA) that can be triggered by a specially crafted email. The flaw (CVE-2026-42897) is being actively exploited and affects Exchange Server 2016, 2019, and Server Subscription Edition, while Exchange Online is unaffected. Microsoft has published an automatic mitigation via the Exchange EM Service; administrators should enable EM Service or run the Exchange on-premises Mitigation Tool (EOMT) if servers are air-gapped. The interim mitigations can disrupt OWA features such as calendar printing and inline image display, and a formal security update will be released later.

⚠️ Microsoft has disclosed a high-severity zero-day, CVE-2026-42897, in on-premises Exchange Server that could allow an attacker to execute arbitrary code by sending a specially crafted email to an Outlook user. The flaw is an XSS vulnerability affecting all supported versions of Exchange 2016, 2019 and Subscription Edition, but not Exchange Online. Microsoft recommends enabling the Exchange Emergency Mitigation (EM) Service, which is applied by default, and provides an alternative manual mitigation via the Exchange On-premises Mitigation Tool for air-gapped environments while patches are developed.

⚠️ Microsoft disclosed a new actively exploited vulnerability, CVE-2026-42897 (CVSS 8.1), a spoofing bug caused by cross-site scripting in on-premises Exchange Server. An attacker can execute arbitrary JavaScript by sending a crafted email that is opened in Outlook Web Access. Microsoft offers a temporary mitigation via the Exchange Emergency Mitigation Service (enabled by default) and provides an EOMT PowerShell script for environments that cannot use the service; Exchange Online is not affected.

⚠ Siemens SIMATIC S7 PLC web servers contain multiple cross-site scripting (XSS) vulnerabilities in their web interfaces that could allow an authenticated user with rights to download TIA projects to inject malicious scripts. Affected pages include the Communication parameters, Motion Control Diagnostics, and Firmware Update pages, where names or filenames are not properly sanitized. Siemens has published updates for several affected firmware lines—update to V2.9.9 or V3.1.6 or later where available—and is preparing further fixes. CISA republished the advisory and recommends restricting project downloads and firmware update rights, isolating devices, and applying vendor updates or compensating controls.

🔔 Siemens disclosed multiple vulnerabilities in Teamcenter that could affect availability, integrity, and confidentiality of affected installations. The vendor published patches across several builds and recommends administrators update to the indicated fixed versions (examples include V2312.0009, V2406.0006, V2412.0009, V2506.0005 and later). Identified issues include improper error checking (CWE-754), cross-site scripting (CWE-79), and hard‑coded credentials (CWE-798). CISA and Siemens advise minimizing network exposure, isolating control systems, applying vendor updates promptly, and following Siemens' industrial security guidance.

🛡️ Instructure says it reached an agreement with ShinyHunters after a breach of its Canvas LMS that exposed usernames, emails, course names, enrollments, and messages. The actor returned the stolen data and supplied shred logs confirming destruction. Instructure attributes the intrusion to XSS flaws in the Free-for-Teacher environment, has restored Canvas, and temporarily disabled that free tier while investigating and monitoring activity.

⚠️ Shadowserver and CISA warn that more than 10,500 internet-exposed Zimbra Collaboration Suite instances remain vulnerable to an actively exploited cross-site scripting bug tracked as CVE-2025-48700. Synacor issued patches in June 2025, but the flaw can be triggered without user interaction when a maliciously crafted email is viewed in the Classic UI. CISA added the issue to its Known Exploited Vulnerabilities catalog and ordered federal agencies to secure affected servers by April 23.

🔐 A tip‑line operator that handled anonymous reports for 35,000 U.S. schools suffered a major breach after an attacker exploited an XSS flaw in a LeverTip chat box and stole a staff session cookie via social engineering. The intruder exfiltrated 91 GB (≈8.3M tip records), some dating back decades, and offered the dataset for sale. Separately, Rockstar Games experienced a third‑party compromise that exposed partial data, including internal financial figures. Both incidents underscore failures in basic web hygiene, third‑party controls, and incident transparency.

🔒 CISA warns of a cross-site scripting and open redirect vulnerability (CVE-2025-13902) affecting Schneider Electric Modicon controllers M241, M251, M258, and LMC058. Successful exploitation may enable account takeover or arbitrary JavaScript execution in a user's browser. Schneider provides firmware 5.4.13.12 for M241 and M251 via EcoStruxure Machine Expert v2.5.0.1; M258 and LMC058 currently require mitigations. No known public exploitation has been reported.

🔔 CISA added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog — CVE-2025-66376, a cross-site scripting (XSS) issue in Synacor Zimbra Collaboration Suite (ZCS). Evidence indicates active exploitation, prompting inclusion under BOD 22-01 guidance. While the binding directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize remediation. CISA will continue to update the KEV Catalog as new exploited vulnerabilities are identified.

🔒 Apple has issued Background Security Improvements to address CVE-2026-20643, a cross-origin flaw in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. Apple fixed the issue by improving input validation and shipped patches in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Researcher Thomas Espach is credited with the report. Users should keep Automatically Install enabled in Settings > Privacy and Security to receive these lightweight fixes promptly.

🔒 Apple has pushed its first Background Security Improvements release to patch a WebKit vulnerability tracked as CVE-2026-20643 on iPhone, iPad, and Mac without requiring a full OS upgrade. The flaw is a cross-origin issue in the Navigation API that could allow malicious web content to bypass the browser's Same Origin Policy, and Apple says it fixed the bug with improved input validation. Credited to researcher Thomas Espach, the update is available on iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.1/26.3.2; Apple warns that uninstalling Background Security Improvements removes all prior background patches and reverts the device to the baseline OS.

🔒 Siemens reports multiple vulnerabilities in COMOS across V10.4–V10.6 that could permit arbitrary code execution, cross-site scripting, denial-of-service, credential exposure, and TLS man-in-the-middle attacks. Siemens has published updates for several affected lines (notably V10.4.5 and V10.5.2) and is preparing additional fixes; some issues remain unpatched. Apply vendor updates where available, follow Siemens' countermeasures for unpatched versions, minimize network exposure of COMOS, and contact Siemens ProductCERT for assistance and timelines.

🔒 The ZOLL ePCR iOS mobile application (version 2.6.7) contains a WebView input-sanitization flaw (CVE-2025-12699) that can reflect attacker-controlled strings into rendered HTML/JavaScript. Proof-of-concept testing shows injected scripts may read local application files, potentially exposing device telemetry and protected health information (PHI). CISA assigns a CVSS v3.1 base score of 5.5 (MEDIUM), notes the issue is not remotely exploitable, and reports no known public exploitation. ZOLL decommissioned the iOS app in May 2025 and has no replacement planned.

🔍 CyberArk researchers disclosed they exploited a cross-site scripting (XSS) vulnerability in the web panel of the StealC infostealer to retrieve active session cookies and operational metadata. Researcher Ari Novick used the weakness to link a StealC customer, dubbed YouTubeTA, to the theft of roughly 390,000 passwords and over 30 million cookies from victims seeking cracked Adobe software on YouTube. Analysis of hardware fingerprints, language settings, time zones and IP addresses indicated the operator used an Apple Pro with an M3 chip, supported English and Russian, operated in an Eastern European time zone and connected via Ukrainian ISP TRK Cable TV, underscoring how weaknesses in criminal tooling can expose both victims and customers to supply-chain risk.

🔍 Cybersecurity researchers disclosed an XSS vulnerability in the web-based control panel used by operators of the StealC information stealer. By exploiting it they collected system fingerprints, monitored active sessions, and stole session cookies from the infrastructure itself, according to CyberArk researcher Ari Novick. The panel's leaked source code and the stealer's distribution through the YouTube Ghost Network and other lures amplified the operational insights researchers gained. Full technical details were withheld to avoid enabling copycats.

🔒 A cross-site scripting (XSS) flaw in the web control panel for the StealC info‑stealer allowed researchers to observe active operator sessions, capture session cookies and harvest browser and hardware fingerprints. CyberArk exploited the issue to identify an operator’s location and device details after a panel user failed to route traffic through a VPN. The company withheld technical disclosure to avoid a quick fix and said the finding may disrupt StealC’s MaaS ecosystem.

🔒Siemens has disclosed multiple vulnerabilities affecting RUGGEDCOM APE1808 devices, tied to cross-site scripting and a path traversal flaw (CVE-2025-40891, CVE-2025-40892, CVE-2025-40893, CVE-2025-40898). The issues include stored HTML/JavaScript injection in Time Machine Snapshot Diff, Reports, and Asset List features, and an authenticated path traversal in Arc data import that can enable arbitrary file writes. Siemens is preparing fixes and advises contacting Siemens ProductCERT, segregating and protecting device networks, and following Siemens operational security guidance until patches are available.

🛡️MITRE has published its annual CWE Top 25, ranking the most dangerous software weaknesses identified from 39,080 CVEs. Cross-site scripting (XSS) remains top, with SQL injection and cross-site request forgery following; several memory- and injection-related flaws shifted positions. New entries include classic, stack and heap buffer overflows, improper access control, authorization bypass via user-controlled keys, and resource allocation issues. Experts warn that weak credential protection and authorization failures are driving growing real-world risk in SaaS and API-driven environments.