24/7/365 access to a team of world-class, certified ethical hackers to repair and harden your website.

OctoberCMS Web Application Open Source Dependency Vulnerability

OctoberCMS is a CMS similar to WordPress, but with much less “fluff”. Our team identified the latest version of OctoberCMS relying on Bootstrap 3.3.7, jQuery 1.11.1, and jQuery 3.3.1. All of these dependencies are vulnerable. /october/themes/demo/assets/vendor/bootstrap.js ↳ bootstrap 3.3.7 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of …

Hacker101 jQuery Dependency Vulnerability

“Hacker101 is a free class for web security. Whether you’re a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.” https://github.com/tidave85/hacker101 suffers from the following open source dependency vulnerabilities. /hacker101/assets/javascript/bootstrap/bootstrap.bundle.min.js ↳ bootstrap 4.1.0 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and …

Kotlin v1.3.60 Programming Language Vulnerability

https://github.com/Saamyy/kotlin suffers from the following open source dependency vulnerabilities, relying on an outdated version of jQuery. /kotlin/libraries/examples/browser-example/src/js/jquery.js ↳ jquery 1.6.2 has known vulnerabilities: severity: medium; CVE: CVE-2011-4969, summary: XSS with location.hash; https://nvd.nist.gov/vuln/detail/CVE-2011-4969 http://research.insecurelabs.org/jquery/test/ https://bugs.jquery.com/ticket/9521 severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party …

Self Replicating, Polymorphic Website Malware

The hardest challenges are the ones that constantly change. Malicious website software has recently seen an influx in self-replicating, polymorphous code that infects a website (and thus, web server) with remote code execution access to launch additional attacks and compromise the data on the breached website and server. In a recent incident, we cleaned a …

3 Ways to Prepare for WordPress Website Malware in 2020

Maybe your client’s site got hacked, it’s time for a security checkup, or you’re tired of telemarketers terrorizing your phone lines with the vulnerabilities sales pitch. Despite the hype, the threat is real. WordPress makes up 90% of hacked CMS sites, reports ZDNet the CBS-owned technology news site. It’s doubly dangerous when your client’s business …

Password Leak – Version 76.0.3809.132 (Official Build) (64-bit)

When a plain-text password form field is found by Google Chrome, it will reveal all passwords on that primary domain. For example, take a look at the following code and screenshot: <input class=”form-control secure_password required password fs-hide” data-install-name=”secureli” id=”ftp_user_pass_new” required=”required” aria-required=”true” autocomplete=”new-password” type=”text” name=”ftp_user[pass]”> By checking the “Show Password” button, as shown below… …the auto-complete …

PhpSpreadsheet version 1.9.0

— samples/bootstrap/js/bootstrap.min.js  – bootstrap 3.3.7 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: …