Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-41248
https:…
A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-41251
https://www.jen…
In rdiffweb prior to version 2.4.6, the cookie session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3250
https://github.com/ikus060/rdiffw…
Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38073
https://patchstack.com/database/vul…
rdiffweb prior to 2.4.6 is vulnerable to Cross-Site Request Forgery (CSRF), which could lead to disabling notifications in a user’s profile.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3233
https://github.com/ikus060/rdiffweb/commit/18a5aabd4…
Impact
By sending specially crafted headers an attacker can bypass the source image domain allowlist, causing the handler to load and return arbitrary images. Because the response is cached globally, this image will then be served to visitors without r…
Impact
This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the clien…
Impact
A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that se…
Impact
CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm’s autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.
Patches
This vulnerability has b…
The JWT code can auto-detect the type of token being provided, and this can lead the application to incorrect conclusions about the trustworthiness of the token.
Quoting the private disclosure we received : “Under certain circumstances, it is possible …
