All news with #xss tag

Critical Ivanti EPM Flaw Patched; Immediate Updates Urged

🔒 Ivanti released EPM 2024 SU4 SR1 to address a critical stored XSS vulnerability (CVE-2025-10573) that lets unauthenticated attackers hijack administrator sessions by submitting malicious device scan data to the incoming API. The update also fixes three high-severity flaws that can enable code execution with user interaction and an issue that permits unauthorized file writes. Ivanti said reports came through its responsible disclosure program and it was not aware of active exploitation at disclosure. Organizations with internet-facing or high-privilege EPM instances should apply the patch immediately and isolate management interfaces until updated.

Fortinet, Ivanti, and SAP Release Emergency Patches

🔐 Fortinet, Ivanti, and SAP have released urgent patches to address high-severity authentication and code-execution flaws affecting FortiOS, FortiWeb, FortiProxy, FortiSwitchManager, Ivanti Endpoint Manager, and multiple SAP products. Fortinet's issues (CVE-2025-59718, CVE-2025-59719; CVSS 9.8) can allow FortiCloud SSO bypass via crafted SAML messages when that feature is enabled. Ivanti patched a stored XSS (CVE-2025-10573; CVSS 9.6) and additional bugs that could lead to remote code execution, while SAP's update remedies three critical flaws including a 9.9 CVSS code injection. Administrators are urged to apply vendor updates or temporarily disable affected features until systems are patched.

Festo LX Appliance XSS Vulnerability (CVE-2021-23414)

⚠️ Festo SE & Co. KG's LX Appliance contains a cross-site scripting (XSS) vulnerability tied to the video.js library (CVE-2021-23414) that can allow crafted course content to execute scripts in high-privilege user sessions. The issue affects LX Appliance versions prior to June 2023 and has a CVSS v3.1 base score of 6.1. Festo coordinated disclosure with CERT@VDE and published advisory FSA-202301. Administrators should update affected appliances and apply recommended network isolation and secure remote access controls.

CISA Adds Actively Exploited XSS Bug in OpenPLC ScadaBR

⚠️ CISA has added an actively exploited cross-site scripting flaw, CVE-2021-26829, to its Known Exploited Vulnerabilities catalog after reports of operational abuse against OpenPLC ScadaBR. The XSS affects Windows 1.12.4 and Linux 0.9.1 via system_settings.shtm and was used to deface HMI pages and disable logs. Federal civilian agencies must remediate by December 19, 2025; operators should apply vendor fixes, change default credentials, enable logging and monitor for web-layer manipulation and outbound callbacks.

CISA Adds CVE-2021-26829 to Known Exploited Vulnerabilities

🔔 CISA has added CVE-2021-26829 — a cross-site scripting vulnerability in OpenPLC ScadaBR — to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Cross-site scripting is a frequent attack vector that can enable data theft, session hijacking, and unauthorized actions, posing significant risks to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV-listed flaws by the specified due date; CISA also strongly urges all organizations to prioritize timely remediation. CISA will continue to update the catalog as new threats meet its criteria.

Microsoft hardens Entra ID sign-ins against script injection

🔒 Microsoft will strengthen the Entra ID browser sign-in experience starting mid-to-late October 2026 by enforcing a stricter Content Security Policy that permits scripts only from Microsoft-trusted CDN domains and approved inline sources. The change applies to sign-ins at login.microsoftonline.com; Microsoft Entra External ID is not affected. Administrators should test sign-in flows, remove code-injecting extensions and review developer-console violations to identify and address dependencies before the rollout.

Comet AI Browser's Embedded API Permits Device Access

⚠️ Security firm SquareX disclosed a previously undocumented MCP API inside the AI browser Comet that enables embedded extensions to execute arbitrary commands and launch applications — capabilities mainstream browsers normally block. The API can be triggered covertly from pages such as perplexity.ai, creating an execution channel exploitable via compromised extensions, XSS, MITM, or phishing. SquareX highlights that the analytics and agentic extensions are hidden and cannot be uninstalled, leaving devices exposed by default.

AVEVA Application Server IDE Cross-Site Scripting Risk

⚠ AVEVA reported a basic cross-site scripting vulnerability (CVE-2025-8386) in the Application Server IDE affecting versions 2023 R2 SP1 P02 and earlier. An authenticated user with the aaConfigTools privilege can modify App Objects' help files to persist XSS that may execute in other users' sessions, potentially enabling horizontal or vertical privilege escalation. AVEVA provides a fix in System Platform 2023 R2 SP1 P03; CISA advises auditing permissions, minimizing network exposure, and using secure remote access methods.

Advantech DeviceOn/iEdge: Multiple Remote Flaws Report

⚠️ Advantech DeviceOn/iEdge versions 2.0.2 and earlier contain multiple remotely exploitable vulnerabilities, including XSS and several path-traversal flaws assigned CVE-2025-64302, CVE-2025-62630, CVE-2025-59171, and CVE-2025-58423. Successful exploitation may lead to denial-of-service, arbitrary file disclosure, or remote code execution with system-level permissions. CISA notes the products are EOL and recommends upgrading to DeviceOn, isolating devices from the internet, and using secure remote access methods to reduce risk.

Rockwell Automation 1783-NATR: Critical Remote Flaws

⚠️ Rockwell Automation's 1783-NATR network adapter contains multiple high-severity vulnerabilities, including missing authentication for critical functions, stored XSS, and CSRF. CISA assigns CVSS v4 9.9 for the most severe issue and warns these flaws can be exploited remotely with low complexity to cause denial-of-service, data modification, or credential compromise. Rockwell Automation recommends upgrading to 1.007 or later; CISA advises minimizing network exposure and isolating control networks.

Siemens SiPass integrated vulnerabilities and update

🔒 Siemens released security updates for SiPass integrated to address four vulnerabilities—an Accusoft ImageGear heap-based buffer overflow, stored cross-site scripting, an authorization bypass via user-controlled keys, and recoverable password storage. Exploitation could enable account compromise, data manipulation, impersonation, or arbitrary code execution on affected servers. Siemens recommends updating to V3.0, restricting access to trusted personnel, and avoiding untrusted image uploads; CISA advises isolating devices and using secure remote access.

CISA Adds Synacor Zimbra XSS to Known Exploited Catalog

⚠️ CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-27915, a cross-site scripting (XSS) flaw in Synacor Zimbra Collaboration Suite (ZCS). CISA notes that XSS remains a common attack vector that can enable credential theft, session hijacking, and distribution of malicious content. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by prescribed due dates. CISA urges all organizations to prioritize timely remediation and reduce exposure.

Zimbra XSS Zero-Day Used to Target Brazilian Military

⚠️A stored cross-site scripting vulnerability in the Zimbra Classic Web Client (CVE-2025-27915) was exploited in targeted attacks and has since been patched. The flaw allowed embedded JavaScript in ICS calendar entries to execute via an ontoggle event, enabling attackers to create mail filters, redirect messages, and exfiltrate mailbox data. Zimbra released fixes on January 27, 2025; administrators should apply updates and audit mailbox filters and logs for indicators of compromise.

Zero-day XSS in Zimbra abused via malicious .ICS files

📅 Researchers found a zero-day XSS in Zimbra Collaboration Suite exploited through malicious .ICS (iCalendar) attachments that delivered obfuscated JavaScript. The vulnerability, tracked as CVE-2025-27915, affects ZCS 9.0, 10.0 and 10.1 and was patched by Zimbra on January 27 with releases ZCS 9.0.0 P44, 10.0.13 and 10.1.5. StrikeReady determined attacks began in early January and involved a spoofed Libyan Navy email targeting a Brazilian military organization. The injected script is capable of stealing credentials, emails, contacts and shared folders, manipulating filters to forward mail, and using the Zimbra SOAP API to exfiltrate data.

Microsoft Outlook stops displaying inline SVG images

🔒 Microsoft will no longer display inline SVG images in Outlook for Web and the new Outlook for Windows; users will instead see blank spaces where those images would have appeared. The global rollout began in early September 2025 and is expected to complete by mid‑October 2025, with Microsoft estimating the change will affect less than 0.1% of images. SVG files sent as classic attachments will continue to be viewable from the attachment well to limit user disruption.

Hitachi Energy MSM: XSS and Assertion Vulnerabilities

⚠️ Hitachi Energy reports multiple vulnerabilities in the MSM product that are exploitable remotely with low attack complexity. An XSS flaw in the EmbedThis GoAhead goform/formTest endpoint (name parameter) can allow HTML injection, while an assertion in open62541's fuzz_binary_decode can cause a crash. CVE-2023-53155 (CVSS 7.2) and CVE-2024-53429 (CVSS 7.5) are assigned. Vendors and CISA recommend disconnecting affected devices from internet-facing networks and following product-specific guidance.

Iframe Security Exposed — Payment Checkout Blind Spot

🔒Payment iframes are no longer a guaranteed sandbox: attackers have adopted pixel-perfect overlays and other injection techniques to steal card data from checkout pages. The article dissects the August 2024 Stripe skimmer campaign that compromised dozens of merchants and used a deprecated API to validate stolen cards in real time. It explains why legacy controls like X-Frame-Options and basic CSP fail when the host page is compromised and outlines a practical six-step defense combining strict CSP, real-time DOM monitoring, secure postMessage handling, and tooling changes required by PCI DSS 4.0.1.

Schneider Electric Altivar and ATVdPAC XSS Vulnerability

⚠️ Schneider Electric disclosed a cross-site scripting flaw (CWE-79) affecting numerous Altivar drives, the ATVdPAC communication module, and the ILC992 InterLink Converter. Tracked as CVE-2025-7746, the issue is remotely exploitable with low attack complexity and can allow an attacker to read or modify data via device web interfaces. Schneider has released a fix for the ATVdPAC (Version 25.0) and recommends disabling webservers when not needed, segmenting networks, blocking HTTP/port 80 access, and using VPNs until further patches are provided.

Why XSS Still Matters: MSRC on a 25-Year Threat Landscape

🛡️ MSRC reports that Cross-Site Scripting (XSS) remains a persistent threat across legacy portals and modern single-page applications, with hundreds of cases triaged in the past year. Between July 2024 and July 2025, MSRC mitigated over 970 XSS cases and awarded more than $900,000 in bounties, spanning low-impact self-XSS to zero-click critical exploits. The post describes MSRC’s severity matrix that combines data classification and exploit conditions, outlines servicing scope and exclusion criteria, and publishes a practical submission checklist. Developers and researchers are encouraged to adopt context-aware encoding, Content Security Policy (CSP), and secure-by-default frameworks to reduce exposure.

Understanding Cookie Types and How to Protect Them

🔒 This article explains how web cookies work, their classifications, and why session IDs are particularly valuable to attackers. It outlines common attack methods — including session sniffing over HTTP, cross‑site scripting (XSS), cross‑site request forgery (CSRF), and predictable session IDs — and describes specialized tracking like supercookies and evercookies. Practical advice for users and developers covers HTTPS, browser updates, cookie management, two‑factor authentication, cautious use of public Wi‑Fi, and preferring essential cookies only.