Known Exploited Vulnerabilities Cross-site Scripting (XSS) Capability Group

This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine. In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session. The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.

This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine. In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session. The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.

This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine. In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session. The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.

This vulnerability is exploited by an adversary via malicious links embedded in trustworthy websites to infiltrate victim systems. Successful exploitation grants the adversary the ability to execute arbitrary code on the impacted system. The Russia-aligned hacking group TAG-70 has been attributed to exploiting this vulnerability. TAG-70 has used this vulnerability in an espionage campaign targeting European government and military agencies, as well as Iranian embassies in Russia, aiming to gather intelligence on European political and military activities. The campaign, active from early to mid-October 2023, is part of a broader pattern of Russian state-aligned cyber-espionage targeting email services.

This vulnerability is exploited by an adversary via malicious links embedded in trustworthy websites to infiltrate victim systems. Successful exploitation grants the adversary the ability to execute arbitrary code on the impacted system. The Russia-aligned hacking group TAG-70 has been attributed to exploiting this vulnerability. TAG-70 has used this vulnerability in an espionage campaign targeting European government and military agencies, as well as Iranian embassies in Russia, aiming to gather intelligence on European political and military activities. The campaign, active from early to mid-October 2023, is part of a broader pattern of Russian state-aligned cyber-espionage targeting email services.

This vulnerability is exploited by an adversary via malicious links embedded in trustworthy websites to infiltrate victim systems. Successful exploitation grants the adversary the ability to execute arbitrary code on the impacted system. The Russia-aligned hacking group TAG-70 has been attributed to exploiting this vulnerability. TAG-70 has used this vulnerability in an espionage campaign targeting European government and military agencies, as well as Iranian embassies in Russia, aiming to gather intelligence on European political and military activities. The campaign, active from early to mid-October 2023, is part of a broader pattern of Russian state-aligned cyber-espionage targeting email services.

This vulnerability is exploited by a remote attacker to execute HTML on the Cobalt Strike team server. To exploit this vulnerability, an attacker would inspect a Cobalt Strike payload and modify the username field within the payload to be malformed. This manipulation enables the attacker to execute arbitrary code by setting a malformed username in the Beacon configuration. In a documented cybersecurity incident, a Chinese threat actor leveraged a modified version of Cobalt Strike, known as "Cobalt Strike Cat," which included a patch for CVE-2022-39197. This version was used to establish communication channels with victim systems, perform evasive post-exploitation activities, and maintain persistence.

This vulnerability is exploited by a remote attacker to execute HTML on the Cobalt Strike team server. To exploit this vulnerability, an attacker would inspect a Cobalt Strike payload and modify the username field within the payload to be malformed. This manipulation enables the attacker to execute arbitrary code by setting a malformed username in the Beacon configuration. In a documented cybersecurity incident, a Chinese threat actor leveraged a modified version of Cobalt Strike, known as "Cobalt Strike Cat," which included a patch for CVE-2022-39197. This version was used to establish communication channels with victim systems, perform evasive post-exploitation activities, and maintain persistence.

This vulnerability is exploited by an attacker via spear-phishing emails containing malicious links to inject arbitrary HTML and JavaScript into the document by placing executable JavaScript inside element attributes. This results in unescaped markup, enabling the attacker to execute JavaScript in the context of a user's Zimbra session, leading to potential data theft and other malicious activities. This vulnerability was identified by Volexity in December 2021 during a series of targeted spear-phishing campaigns conducted by a threat actor tracked as TEMP_Heretic. The campaigns aimed to exploit this zero-day vulnerability, allowing attackers to execute arbitrary JavaScript in the context of a user's Zimbra session. The attack involved two phases: an initial reconnaissance phase using emails with embedded remote images to track if targets opened the messages, and a second phase with spear-phishing emails containing malicious links. If a target clicked on these links while logged into the Zimbra webmail client, the attacker could exploit the vulnerability to steal email data and attachments.

This vulnerability is exploited by an attacker via spear-phishing emails containing malicious links to inject arbitrary HTML and JavaScript into the document by placing executable JavaScript inside element attributes. This results in unescaped markup, enabling the attacker to execute JavaScript in the context of a user's Zimbra session, leading to potential data theft and other malicious activities. This vulnerability was identified by Volexity in December 2021 during a series of targeted spear-phishing campaigns conducted by a threat actor tracked as TEMP_Heretic. The campaigns aimed to exploit this zero-day vulnerability, allowing attackers to execute arbitrary JavaScript in the context of a user's Zimbra session. The attack involved two phases: an initial reconnaissance phase using emails with embedded remote images to track if targets opened the messages, and a second phase with spear-phishing emails containing malicious links. If a target clicked on these links while logged into the Zimbra webmail client, the attacker could exploit the vulnerability to steal email data and attachments.

This vulnerability is exploited by an attacker via spear-phishing emails containing malicious links to inject arbitrary HTML and JavaScript into the document by placing executable JavaScript inside element attributes. This results in unescaped markup, enabling the attacker to execute JavaScript in the context of a user's Zimbra session, leading to potential data theft and other malicious activities. This vulnerability was identified by Volexity in December 2021 during a series of targeted spear-phishing campaigns conducted by a threat actor tracked as TEMP_Heretic. The campaigns aimed to exploit this zero-day vulnerability, allowing attackers to execute arbitrary JavaScript in the context of a user's Zimbra session. The attack involved two phases: an initial reconnaissance phase using emails with embedded remote images to track if targets opened the messages, and a second phase with spear-phishing emails containing malicious links. If a target clicked on these links while logged into the Zimbra webmail client, the attacker could exploit the vulnerability to steal email data and attachments.

CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface or access sensitive browser-based information.

CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface or access sensitive browser-based information.

CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface or access sensitive browser-based information.

This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.

This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.

This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.

This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.

An attacker can exploit a deserialization/desanitization issue by injecting malicious JavaScript into a message. Parsing the HTML inside the message can allow the exfiltration of email data, as well as commandeer the victim's browser.

An attacker can exploit a deserialization/desanitization issue by injecting malicious JavaScript into a message. Parsing the HTML inside the message can allow the exfiltration of email data, as well as commandeer the victim's browser.

An attacker can exploit a deserialization/desanitization issue by injecting malicious JavaScript into a message. Parsing the HTML inside the message can allow the exfiltration of email data, as well as commandeer the victim's browser.

Attackers can send a malicious email with a specially crafted calendar header in order to execute arbitrary JavaScript code in the browser. This can lead to email collection, which can then be exfiltrated.

Attackers can send a malicious email with a specially crafted calendar header in order to execute arbitrary JavaScript code in the browser

Attackers can send a malicious email with a specially crafted calendar header in order to execute arbitrary JavaScript code in the browser

Attackers can send a malicious email with a specially crafted calendar header in order to execute arbitrary JavaScript code in the browser

Threat actors can use spearphishing to deliver a malicious JavaScript payload, which then allows exfiltration of sensitive data from the email servers.

Threat actors can use spearphishing to deliver a malicious JavaScript payload, which then allows exfiltration of sensitive data from the email servers.

Threat actors can use spearphishing to deliver a malicious JavaScript payload, which then allows exfiltration of sensitive data from the email servers.

The /h/autoSaveDraft function in Zimbra Collaboration Suite can be targeted by an authenticated attacker's malicious scripts, facilitating arbitrary code execution, as well as session cookie theft.

The /h/autoSaveDraft function in Zimbra Collaboration Suite can be targeted by an authenticated attacker's malicious scripts, facilitating arbitrary code execution, as well as session cookie theft.

The /h/autoSaveDraft function in Zimbra Collaboration Suite can be targeted by an authenticated attacker's malicious scripts, facilitating arbitrary code execution, as well as session cookie theft.