A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stor…
[org.jenkins-ci.plugins:katalon] Jenkins Katalon Plugin Missing Authorization vulnerability
Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through an…
[github.com/fluxcd/source-controller] Improper use of metav1.Duration allows for Denial of Service
Flux controllers within the affected versions range are vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec….
[com.alibaba:hessian-lite] Hessian Lite for Apache Dubbo deserialization vulnerability
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and …
[org.apache.isis.core:isis-core] Apache Isis Cross-site Scripting vulnerability
Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar an…
[org.apache.isis.core:isis-core] Apache Isis webconsole module may directly query the database in prototype mode
When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable th…
[getkirby/cms] Kirby CMS vulnerable to user enumeration in the brute force protection
TL;DR
This vulnerability affects all Kirby sites with user accounts (unless Kirby’s API and Panel are disabled in the config). It can only be exploited for targeted attacks because the attack does not scale to brute force.
Introduction
User enumeratio…
[getkirby/cms] Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms
TL;DR
This vulnerability only affects you if you are using the code or password-reset auth method with the auth.methods option. It can only be successfully exploited under server configuration conditions outside of the attacker’s control.
Introduction…
[oro/commerce] OroCommerce Cross site scripting vulnerability during shipping rule editing for UPS integration
Impact
Shipping rule edit page is vulnerable to cross site scripting (XSS) payload added to UPS Surcharge field. The attacker should have permission to create or edit a shipping rule.
References
https://github.com/oroinc/orocommerce/security/advisorie…
[nokogiri] Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Summary
Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to v2.10.3 from v2.9.14.
libxml2 v2.10.3 addresses the following known vulnerabilities:
CVE-2022-2309
CVE-2022-40304
CVE-2022-40303
Please note that this advisory only a…