.png)
BOOK THIS SPACE FOR AD
ARTICLE AD13. July 2021
This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
Cybersecurity researchers at Canadian firm Software Secured identified a critical flaw in Less.js, a widely used preprocessor language. According to the report published by the firm, the vulnerability could be exploited by threat actors to achieve remote code execution attacks.
Researchers report that Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites. In addition, the Less.js library supports plugins from remote sources using the @plugin syntax; these plugins must be written in JavaScript and will run when the Less code is interpreted.
Attackers can abuse this feature for remote attack deployment: “If less code is processed on the client-side, an inter-site scripting (XSS) attack could result, although its server-side execution can lead to remote code execution (RCE). All versions of Less with support for @plugin syntax are vulnerable to these scenarios. Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites,” says the report published by the firm Software Secured.
The report includes a proof of concept (PoC) and a real-world scenario exploitation demonstration in CodePen.io, a website for creating Less.js code snippets. The operators of this website were notified about this and a solution has already been developed to address this flaw.&n […]Read the original article: Vulnerability in Less.js Causes Website to Leak AWS Secret Keys
By continuing to use the site, you agree to the use of cookies. more information
Bengali (Bangladesh) · 
English (United States) ·