Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-11650
https://github.com/Graylog2/graylog2-server/pull/4727
http…
Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx.
References
https://nvd.nist.gov/vuln/d…
ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts’ internals or can be used to affect container’s settings. Applying better regex which includes pattern to exclude request parameters t…
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
References
https://nvd.nist.gov/vuln/…
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user’s brow…
A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs.
References
https://nvd.nist.gov/vuln/deta…
An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter json to the /q URI.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-12973
https://github.com/OpenTSDB/opentsdb/issues/1240
https://github.com/advisories/GHSA-r68m-wq3x-2hqw
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration. Ve…
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to…
In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-14380
https://github.com/Graylog2/graylog2-ser…
