HIGH

Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
References

https://nvd.nist.gov/vuln/de…

Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG’s algorithm not being cryptographically strong.
…

Kimai v2 before 1.1 has XSS via a timesheet description.
References

https://nvd.nist.gov/vuln/detail/CVE-2019-15481
https://github.com/kevinpapst/kimai2/pull/962
https://github.com/kevinpapst/kimai2/releases/tag/1.1
https://github.com/advisories/GHSA-…

The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host’s file system that were not intended to b…

All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised.
References

https://nvd.nist.gov/vuln/detail/CVE-2019-10249
https://github.com/eclipse/xtext-xte…

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certifi…

Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto mig…

Cross-site Scripting (XSS) – Generic in GitHub repository octoprint/octoprint prior to 1.8.0. The Stream URL of octoprint application allowing a xss payload to execute.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-1432
https://github.com/octop…

Directory traversal vulnerability in the Import/Export function in the Portal Site Manager in Apache Jetspeed before 2.3.1 allows remote authenticated administrators to write to arbitrary files, and consequently execute arbitrary code, via a .. (dot do…

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file…