Security news aggregator

Latest coverage for XSS

XSS lets attackers run scripts in a victim's browser, enabling data theft or account abuse; contextual output encoding and CSP reduce risk.

6 headlines in this view

Refine the feed

Search across headline titles and summaries.

Tag briefing

Background for this topic.

Cross-site scripting (XSS) is a web-application flaw in which attacker-controlled input is interpreted as script in another user’s browser. It can be stored in application data, reflected in an immediate response, or introduced by unsafe client-side code (DOM-based XSS). The script runs in the affected site’s origin, so it may read page content, alter requests, or perform actions available to the victim; impact depends on the victim’s privileges and the application’s defenses.

The primary mitigation is context-aware output encoding: treat untrusted data as text when inserting it into HTML, attributes, URLs, JavaScript, or CSS, and use safe DOM APIs such as textContent rather than unsafe HTML insertion. If user-authored HTML is required, apply a well-tested HTML sanitizer. A restrictive Content Security Policy can limit exploitability but is defense in depth, not a substitute for correct encoding. HttpOnly cookies can reduce direct cookie theft, but do not prevent XSS from performing in-session actions.

Volume over time

Weekly headline count for the current query.

Showing 6 most recent headlines Filtered view
Bank Info Security 11 months, 3 weeks ago

Breach Roundup: Suspected XSS Cybercrime Forum Admin Arrested

Also: Clorox Sues IT Vendor Over Password BlunderThis week, XSS forum admin arrested, Clorox sued Cognizant, Lumma Stealer is back, NY regulates water, U.S. maritime cybersecurity rules in effect, new Coyote banking Trojan, a hacker nabbed details of Mexico City auxiliary police, Latin America cyberattacks, and World Leaks stole synthetic data.

Bank Info Security 11 months, 3 weeks ago

Breach Roundup: Suspected XSS Cybercrime Forum Admin Arrested

Also: Clorox Sues IT Vendor Over Password BlunderThis week, XSS forum admin arrested, Clorox sued Cognizant, Lumma Stealer is back, NY regulates water, U.S. maritime cybersecurity rules in effect, new Coyote banking Trojan, a hacker nabbed details of Mexico City auxiliary police, Latin America cyberattacks, and World Leaks stole synthetic data.

Bank Info Security 1 year, 8 months ago

Researchers Debut AI Tool That Helps Detect Zero-Days

Vulnerability Tool Detected Flaws in OpenAI and Nvidia APIs Used in GitHub ProjectsSecurity researchers have developed an AI tool that can detect remote code flaws and arbitrary zero-day code in software. Protect AI applied the tool to nearly 10,000 GitHub projects and on CVSS data and uncovered local file inclusion, cross-site scripting and remote code flaws in APIs.

Bank Info Security 1 year, 9 months ago

Memory-Safe Coding Cuts Android System Flaws by 75%

Google Says Rust Language Initiative Eliminates Cross-Site Scripting, Other FlawsGoogle says switching to a memory-safe language such as Rust under its Safe Coding program has helped significantly reduce the number of vulnerabilities in Android systems. The number of vulnerabilities uncovered in Android devices has fallen from over 200 in 2019 to fewer than 50 by 2024.

Bank Info Security 2 years, 4 months ago

Joomla CMS Patches Critical XSS Vulnerabilities

Millions of Websites Potentially at RiskCross-site scripting vulnerabilities in Joomla, a widely used free-source content management system, were fixed in a patch published Tuesday by the open-source project that maintains the software. The flaws potentially expose millions of websites to attacks that can end with remote code execution.

Bank Info Security 2 years, 8 months ago

Google Says 4 Attack Campaigns Exploited Zimbra Zero-Day

Zimbra Patched the Cross-Site Scripting Vulnerability on July 25A zero-day flaw in the Zimbra Collaboration email server proved to be a bonanza for hackers as four distinct threat actors exploited the bug to steal email data and user credentials, says Google. Most of the exploit activity occurred after Zimbra had posted a hotfix on July 5.