Jenkins RQM Plugin 2.8 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capt…
[com.xebialabs.ci:xlrelease-plugin] CSRF vulnerability in Jenkins XebiaLabs XL Release Plugin allow capturing credentials
XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified crede…
[net.praqma:matrix-reloaded] Jenkins Matrix Reloaded Plugin vulnerable to Stored XSS
Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
References
https://nvd.nist.gov/vuln/…
[com.xebialabs.ci:xlrelease-plugin] Missing permission checks in Jenkins XebiaLabs XL Release Plugin allow capturing credentials
Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, c…
[hudson.plugins:project-inheritance] Jenkins Project Inheritance Plugin vulnerable to cross site scripting
Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked.
Refe…
[net.praqma:matrix-reloaded] Jenkins Matrix Reloaded Plugin vulnerable to CSRF
Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to rebuild previous matrix builds.
References
htt…
[org.jenkins-ci.plugins:plot] Cross-site Scripting in Jenkins Plot Plugin
Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3478…