https://feed.craftedsignal.io/tags/reflected-xss/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 09:15:59 +0000https://feed.craftedsignal.io/briefs/2024-01-tegsoft-xss/Mon, 04 May 2026 09:15:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tegsoft-xss/CVE-2025-14320 is a reflected cross-site scripting (XSS) vulnerability in Tegsoft Online Support Application versions V3 through 31122025, allowing attackers to inject arbitrary web scripts into user browsers.A reflected cross-site scripting (XSS) vulnerability, identified as CVE-2025-14320, exists within the Tegsoft Management and Information Services Trade Limited Company Online Support Application. This vulnerability affects versions V3 through 31122025. An attacker can exploit this vulnerability by injecting malicious scripts into a web page, which is then reflected back to the user, leading to potential data theft, session hijacking, or website defacement. This vulnerability was reported by the Computer Emergency Response Team of the Republic of Turkey. Successful exploitation requires tricking a user into clicking a specially crafted link.

Attack Chain

1. Attacker crafts a malicious URL containing a JavaScript payload.
2. The attacker distributes the crafted URL via email, social media, or other means.
3. Unsuspecting user clicks the malicious URL.
4. The user’s browser sends a request to the vulnerable Tegsoft Online Support Application with the malicious script as a parameter.
5. The Tegsoft application fails to properly sanitize the input.
6. The application reflects the malicious script back to the user’s browser within the HTML response.
7. The user’s browser executes the malicious script.
8. The script can then perform actions such as stealing cookies, redirecting the user to a phishing site, or defacing the web page.

Impact

Successful exploitation of this reflected XSS vulnerability can lead to the execution of arbitrary JavaScript code in the context of the victim’s browser. This can result in session hijacking, where an attacker gains unauthorized access to the user’s account. It can also lead to data theft, where sensitive information is stolen from the user’s browser. Furthermore, the attacker can redirect the user to a phishing website or deface the Online Support Application, potentially impacting multiple users.

Recommendation

• Apply available patches or updates from Tegsoft to address CVE-2025-14320 on the Online Support Application.
• Implement proper input validation and output encoding to prevent XSS vulnerabilities in the application based on CWE-79.
• Deploy the provided Sigma rule to detect potential XSS attempts in web server logs.
• Educate users about the dangers of clicking on suspicious links to mitigate the initial access vector.

]]>mediumadvisoryxssreflected-xsscve-2025-14320https://feed.craftedsignal.io/briefs/2024-02-adobe-connect-xss/Tue, 14 Apr 2026 18:16:55 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-02-adobe-connect-xss/Adobe Connect versions 2025.3, 12.10, and earlier are vulnerable to a reflected Cross-Site Scripting (XSS) attack, enabling attackers to execute malicious JavaScript in a victim's browser by enticing them to visit a crafted URL.A reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-27245, affects Adobe Connect versions 2025.3, 12.10, and earlier. This vulnerability allows an attacker to inject malicious JavaScript code into a user’s browser by convincing them to click on a specially crafted URL. When the victim visits the malicious URL, the injected script executes within their browser session, potentially enabling the attacker to steal cookies, redirect the user to a malicious website, or deface the web page. This vulnerability poses a significant risk to Adobe Connect users, as it can lead to account compromise and data breaches. Exploitation requires user interaction, but the impact can be severe.

Attack Chain

1. The attacker crafts a malicious URL containing a JavaScript payload within a parameter.
2. The attacker distributes the crafted URL via email, social media, or other means to a targeted user.
3. The victim clicks on the malicious link, unknowingly initiating the XSS attack.
4. The user’s browser sends a request to the Adobe Connect server with the malicious JavaScript in the URL.
5. The Adobe Connect server reflects the malicious JavaScript code back to the user’s browser without proper sanitization.
6. The victim’s browser executes the reflected JavaScript code within the context of the Adobe Connect application.
7. The attacker can then steal the victim’s session cookies.
8. Using the stolen cookies, the attacker can hijack the victim’s session, gaining unauthorized access to their Adobe Connect account and data.

Impact

Successful exploitation of this reflected XSS vulnerability (CVE-2026-27245) in Adobe Connect could lead to unauthorized access to user accounts, sensitive data, and the Adobe Connect environment. An attacker could potentially deface web pages, redirect users to phishing sites, or inject malware. The impact ranges from user-specific data theft to wider compromise of the Adobe Connect platform. While the number of victims is unknown, any organization using the affected Adobe Connect versions is vulnerable.

Recommendation

• Upgrade to a patched version of Adobe Connect that addresses CVE-2026-27245. Refer to the vendor advisory at https://helpx.adobe.com/security/products/connect/apsb26-37.html for specific upgrade instructions.
• Deploy the Sigma rule Detect Adobe Connect XSS Attempt via URI to identify requests containing suspicious JavaScript payloads targeting Adobe Connect.
• Educate users to be cautious about clicking on URLs received from untrusted sources to mitigate the initial access vector.
• Monitor web server logs for unusual URI patterns and JavaScript-like syntax using the Detect Reflected XSS Payloads in URI Sigma rule.

]]>highadvisoryxssadobe-connectcve-2026-27245reflected-xsshttps://feed.craftedsignal.io/briefs/2024-01-cerato-xss/Fri, 10 Apr 2026 14:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cerato-xss/A reflected cross-site scripting (XSS) vulnerability exists in the Zootemplate Cerato WordPress theme (versions n/a through 2.2.18) due to improper neutralization of user-supplied input, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.A reflected XSS vulnerability, identified as CVE-2025-58920, affects the Zootemplate Cerato WordPress theme. The vulnerability resides in versions ranging from n/a through 2.2.18. It stems from the improper neutralization of input during web page generation, which can allow an attacker to inject malicious scripts into a web page viewed by other users. Successful exploitation could allow an attacker to steal cookies, redirect users to malicious websites, or deface web pages. Given the widespread use of WordPress and its themes, this vulnerability poses a risk to websites using the affected Cerato theme.

Attack Chain

1. An attacker identifies a vulnerable endpoint within the Cerato theme that does not properly sanitize user input.
2. The attacker crafts a malicious URL containing a JavaScript payload within a parameter.
3. The attacker distributes the malicious URL via email, social media, or other means.
4. A victim clicks the malicious URL, sending a request to the vulnerable WordPress site.
5. The WordPress server, using the Cerato theme, reflects the attacker’s JavaScript payload in the response without proper sanitization.
6. The victim’s browser executes the malicious JavaScript code.
7. The attacker gains the ability to perform actions on behalf of the victim, such as stealing cookies or redirecting the user.

Impact

Successful exploitation of this reflected XSS vulnerability can lead to several adverse effects. An attacker could steal a user’s session cookies, gaining unauthorized access to their account. Victims can be redirected to phishing sites, potentially compromising their credentials. Further, attackers might inject malicious content into the web page, defacing the site or spreading malware. The impact of this vulnerability is limited by the need for user interaction (clicking a malicious link), but the potential for widespread exploitation remains significant for sites using the vulnerable Cerato theme.

Recommendation

• Upgrade the Zootemplate Cerato WordPress theme to a version beyond 2.2.18 to remediate CVE-2025-58920.
• Deploy the Sigma rule to detect exploitation attempts against this vulnerability (see the “Reflected XSS Attempt via GET” rule below).
• Implement a web application firewall (WAF) with rules to detect and block common XSS payloads to mitigate this and similar vulnerabilities.

]]>mediumadvisoryxsswordpressreflected-xsshttps://feed.craftedsignal.io/briefs/2026-04-siyuan-xss/Wed, 01 Apr 2026 00:30:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-siyuan-xss/SiYuan Note versions prior to the fix for commit f09953afc57a are vulnerable to reflected cross-site scripting (XSS) via a namespace prefix bypass in the SanitizeSVG function when handling dynamic icons, allowing unauthenticated attackers to execute arbitrary JavaScript in a victim's browser.SiYuan Note, a note-taking application, is susceptible to a reflected XSS vulnerability in its dynamic icon generation functionality. This flaw, present in versions prior to commit f09953afc57a, arises from an insufficient sanitization of SVG content, specifically failing to account for namespace prefixes in SVG elements. The vulnerability resides in the /api/icon/getDynamicIcon endpoint, which is accessible without authentication. An attacker can exploit this by crafting a malicious SVG payload containing namespaced <script> tags (e.g., <x:script xmlns:x="http://www.w3.org/2000/svg">), which bypasses the application’s XSS mitigation measures. Successful exploitation allows arbitrary JavaScript execution within the context of the victim’s SiYuan Note instance, potentially leading to data theft or other malicious activities.

Attack Chain

1. An attacker crafts a malicious URL targeting the /api/icon/getDynamicIcon endpoint with the type=8 parameter.
2. The crafted URL includes a content parameter containing a specially crafted SVG payload. This SVG payload leverages a namespace prefix to bypass the SanitizeSVG function’s intended filtering, e.g., %3C%2Fx%3Ascript%20xmlns%3Ax%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3Ealert%28document.domain%29%3C%2Fx%3Ascript%3E.
3. The victim, either unknowingly or through social engineering, opens the malicious URL in their browser.
4. The SiYuan server processes the request without proper sanitization, inserting the attacker-controlled content into the SVG, and serves the response with Content-Type: image/svg+xml.
5. The browser’s XML parser interprets the namespace prefix, resolving it to the SVG namespace, and executes the embedded JavaScript code.
6. The JavaScript code executes within the security context of the SiYuan application (http://<siyuan-host>:6806), due to Access-Control-Allow-Origin: *.
7. The attacker’s script can now interact with the SiYuan API using the victim’s session cookies.
8. The attacker can perform actions such as reading notes, exporting data, or modifying settings without authentication.

Impact

This vulnerability poses a significant risk to SiYuan Note users, particularly those whose instances are reachable on a local network. An attacker could potentially compromise sensitive information, manipulate user data, or gain unauthorized access to the application. The ease of exploitation and the absence of authentication requirements make this vulnerability particularly dangerous. Because SiYuan sets Access-Control-Allow-Origin: * and the script runs same-origin, it can call any API endpoint using the victim’s existing session cookies, including endpoints to read all notes, export data, or modify settings.

Recommendation

• Upgrade SiYuan Note to a version that includes the fix for commit f09953afc57a to remediate the vulnerability.
• Deploy the Sigma rule “Detect SiYuan SVG XSS Attempt” to identify potential exploitation attempts in web server logs.
• Monitor web server logs for requests to /api/icon/getDynamicIcon containing SVG payloads with namespace-prefixed script tags, as demonstrated in the PoC.
• Consider implementing a Content Security Policy (CSP) on the SiYuan server to restrict the execution of inline JavaScript.

]]>highadvisoryxsssiyuansvgreflected-xsshttps://feed.craftedsignal.io/briefs/2024-01-query-monitor-xss/Tue, 31 Mar 2026 12:16:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-query-monitor-xss/The Query Monitor WordPress plugin is vulnerable to reflected cross-site scripting (XSS) due to insufficient input sanitization and output escaping of the '$_SERVER['REQUEST_URI']' parameter, allowing unauthenticated attackers to inject arbitrary web scripts.The Query Monitor plugin for WordPress, a developer tool panel, is susceptible to a reflected Cross-Site Scripting (XSS) vulnerability. Identified as CVE-2026-4267, this flaw exists in all versions up to and including 3.20.3. The vulnerability arises from the plugin’s failure to adequately sanitize input and escape output related to the $_SERVER['REQUEST_URI'] parameter. An unauthenticated attacker can exploit this by injecting malicious web scripts into pages, posing a threat to users who…

]]>mediumadvisorywordpressxssreflected-xsscve-2026-4267