トピトピニュース

[jquery] jQuery vulnerable to Cross-Site Scripting (XSS)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
References

https://nvd.nist.gov/vuln/detail/CVE-2011-4969
h…

[org.jenkins-ci.main:jenkins-core] Cross-site Scripting in Jenkins Core

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaSc…

[org.jboss.resteasy:resteasy-jaxrs] Denial of service in JBoss resteasy

Posted inHIGH
Posted byGitHub
05/14/202211/02/2022

RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors.
References

https://nvd.nist.gov/vuln/detail/CVE-2016-6346
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
http://www.securityfocu…

[org.jvnet.hudson.plugins:favorite] Jenkins Favorite Plugin vulnerable to Cross-Site Request Forgery

Posted inHIGH
Posted byGitHub
05/14/202211/23/2022

Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification.
References

https://nvd.nist.gov/vuln/detail/CVE-2017-1000244
https://jenkins.io/security/advisory/2017-06-06/
https://github.com/advisories/GHSA-jqwh…

[org.apache.camel:camel-hessian] Apache Camel camel-hessian component vulnerable to Java object deserialization

The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
References

https://nvd.nist.gov/vuln/detail/C…

[org.biouno:uno-choice] Cross-site Scripting in Jenkins Active Choices plugin

Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the ‘Build With Parameters’ page through the ‘Active Choices Reactive Reference Parameter’ type. This could inc…

[com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parent] Cross-site Scripting in wicket-jquery-ui

In wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display.
References

https://nvd.nist.gov/vuln/detail/CVE-2018-1325
https://markmail.org/message/6bxjyaolehhq7jrl
https://github.com…

[com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parent] Cross-site Scripting in wicket-jquery-ui

In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor.
References

https://nvd.nist.gov/vuln…

[org.apache.geode:geode-core] Apache Geode OQL method invocation vulnerability

Posted inHIGH
Posted byGitHub
05/14/202211/08/2022

When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions. In addition a us…

[org.apache.struts:struts2-core] ClassLoader manipulation in Apache Struts

Posted inHIGH
Posted byGitHub
05/14/202211/04/2022

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to “manipulate” the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exis…