Logitech が漏れまくっていたクラウド携帯ゲーム機を正式発表しました。名称はシンプルに『Clo…
【ハンズオンレビュー】Samsung Galaxy Z Flip 4
Z Flip 3ユーザーも予算に余裕があるなら買い換える価値あり! Samsung Galaxy Z…
[org.jenkins-ci.main:jenkins-core] Jenkins vulnerable to stored cross site scripting in the I:helpIcon component
Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control…
[org.jenkins-ci.plugins:ws-execution-manager] CSRF vulnerability and mM
Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified c…
[org.jenkins-ci.plugins:rundeck] Missing webhook endpoint authorization in Jenkins Rundeck Plugin
Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.
References
https://nvd.nist.gov/…
[org.jenkins-ci.plugins:ws-execution-manager] CSRF vulnerability in Jenkins Worksoft Execution Manager Plugin allows capturing credentials
Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified c…
[com.groupon.jenkins-ci.plugins:DotCi] Stored XSS vulnerability in Jenkins DotCi Plugin
DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to s…
[com.groupon.jenkins-ci.plugins:DotCi] Lack of authentication mechanism in Jenkins DotCi Plugin webhook
DotCi Plugin provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository.
In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.
This allows unauthenticated attacker…
[org.jenkins-ci.plugins:walti] Stored XSS vulnerability in Jenkins Walti plugin
Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.
References
ht…
[org.jenkins-ci.plugins:security-inspector] CSRF vulnerability in Jenkins Security Inspector plugin
Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to replace the generated report stored in a…