Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 28 September, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

XSS vulnerability affects government websites

The Apache Velocity Tools flaw allows unauthenticated attackers to target sites

by Beth Smith
January 15, 2021
in Cyber Bites, Cyber Crime
Share on FacebookShare on Twitter

An undisclosed Cross-Site Scripting (XSS) vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA, BleepingComputer reported today.

Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project.Security researcher Jackson Henry of the Sakura Samurai ethical hacking group had first discovered and reported the vulnerability to Apache in early October, 2020.

Although the project had acknowledged Henry’s report and issued a publicly visible fix on GitHub on November 5th, 2020, a proper public disclosure never took place which left Sakura Samurai researchers concerned.

Commenting on the news, Craig Young, principal security researcher at Tripwire, explained:

The vulnerability in question is a case of reflected cross-site scripting. With this type of weakness, the attacker prepares a malicious link and must convince victims to load this malicious address link in their browsers.

The impact of a reflected cross-site scripting generally varies based on whether the victim of an attack was authenticated to the affected site. If a logged-on user loads an attack URL, the attacker will be able to perform actions on the affected site using the victim’s account.

Besides using cross-site scripting for privilege escalation, an attacker might use this vulnerability to spoof content on vulnerable sites. For example, someone looking to spread conspiracy theories online could prepare links which make it look like official government web sites are confirming wild conspiracy theories. It’s also possible to imagine other, more targeted, attacks leveraging this style of spoofing attack.

FacebookTweetLinkedIn
ShareTweet
Previous Post

COVID-19 State of Remote Work Survey: 34% of Workers Felt Pressure to Return to the Office

Next Post

400,000 customer details compromised in Resident Evil and Street Fighter gaming company ransomware attack

Recent News

software security

Research reveals 80% of applications developed in EMEA contain security flaws

September 27, 2023
Cyber insurance

Half of organisations with cyber insurance implemented additional security measures to qualify for the policy or reduce its cost

September 27, 2023
Fraud and online banking

Akamai Research Finds the Number of Cyberattacks on European Financial Services More Than Doubled in 2023

September 27, 2023
ICS Reconnaissance Attacks – Introduction to Exploiting Modbus

ICS Reconnaissance Attacks – Introduction to Exploiting Modbus

September 27, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information