MODERATE

[org.apache.struts:struts2-core] Possible DoS attack when using URLValidator

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
References

https://nvd.nist.gov/vuln/…

[org.jvnet.hudson.plugins:groovy-postbuild] Jenkins Groovy Postbuild Plugin vulnerable to Cross-site Scripting

A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user’s brow…

[org.csanchez.jenkins.plugins:kubernetes] Exposure of Sensitive Information in Jenkins Kubernetes Plugin

A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs.
References

https://nvd.nist.gov/vuln/deta…

[net.opentsdb:opentsdb] OpenTSDB Cross-site Scripting vulnerability

An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter json to the /q URI.
References

https://nvd.nist.gov/vuln/detail/CVE-2018-12973
https://github.com/OpenTSDB/opentsdb/issues/1240
https://github.com/advisories/GHSA-r68m-wq3x-2hqw

[io.jenkins:configuration-as-code] Jenkins Configuration as Code Plugin vulnerable to Exposure of Sensitive Information

A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration. Ve…

[com.amazonaws:codedeploy] Jenkins AWS CodeDeploy Plugin has Insufficiently Protected Credentials

Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to…

[org.graylog2:graylog2-server] Cross-site Scripting in Graylog Server

In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts.
References

https://nvd.nist.gov/vuln/detail/CVE-2018-14380
https://github.com/Graylog2/graylog2-ser…

[org.elasticsearch:elasticsearch] Cross-site scripting in Elasticsearch

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References

https://nvd.nist.gov/vuln/detail/CVE-2014-6439
ht…

[org.apache.struts:struts2-core] Cross-Site Request Forgery in Apache Struts

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
References

https://nvd.nist.gov/vuln/detail/CVE-2014-7809
http://packetstormsecurity.com/f…

[struts:struts] Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cook…

トピトピニュース

Featured

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability

[org.postgresql:postgresql] TemporaryFolder on unix-like systems does not limit access to created files

[com.h2database:h2] Password exposure in H2 Database