A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials. Version 4.8.0.130 req…
[org.jenkins-ci.plugins:wildfly-deployer] Jenkins WildFly Deployer Plugin vulnerable to path traversal
Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-41235
https://www.jenkins.io/sec…
[craftcms/cms] Craft CMS Cross-site Scripting vulnerability
Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-37246
https://github….
[com.meowlomo.jenkins:scm-httpclient] Jenkins SCM HttpClient Plugin Missing Authorization
A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturin…
[org.jenkins-ci.plugins:bigpanda-jenkins] Jenkins BigPanda Notifier Plugin Missing Password Field Masking
Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-41248
https:…
[com.meowlomo.jenkins:scm-httpclient] Jenkins SCM HttpClient Plugin vulnerable to Cross-Site Request Forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing cred…
[org.jenkins-ci.plugins:apprenda] Jenkins Apprenda Plugin has Missing Authorization vulnerability
A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-41251
https://www.jen…
[rdiffweb] rdiffweb has insecure HTTP cookies
In rdiffweb prior to version 2.4.6, the cookie session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3250
https://github.com/ikus060/rdiffw…
[org.springframework.data:spring-data-rest-core] Spring Data REST can expose hidden entity attributes
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 – 3.6.6, 3.7.0 – 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP re…
[awesome-support/awesome-support] Awesome Support vulnerable to persistent cross-site scripting
Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38073
https://patchstack.com/database/vul…