1972年のサディスティック・ミカ・バンド参加より、音楽活動50周年を迎える高橋幸宏。彼がムーンライ…
[camaleon_cms] Camaleon CMS Stored Cross-site Scripting vulnerability
In “Camaleon CMS” application, versions 0.0.1 through 2.6.0 are vulnerable to stored XSS, that allows unprivileged application users to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when t…
[camaleon_cms] Camaleon CMS Insufficient Session Expiration vulnerability
Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.
Refe…
[com.xebialabs.deployit.ci:deployit-plugin] Missing permission check in Jenkins XebiaLabs XL Deploy Plugin allows enumerating credentials IDs
XebiaLabs XL Deploy Plugin 10.0.1 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be u…
[net-ldap] net-ldap has weak salt when generating passwords
The Ruby net-ldap gem before 0.16.2 uses a weak salt when generating SSHA passwords.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-0083
https://github.com/ruby-ldap/ruby-net-ldap/commit/b412ca05f6b430eaa1ce97ac95885b4cf187b04a
https://bugzilla….
[org.jenkins-ci.plugins:scriptler] Stored XSS vulnerability in Jenkins Scriptler Plugin
Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts.
Scriptler…
[org.jenkins-ci.plugins:performance] XXE vulnerability in Jenkins Performance Plugin
Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for…
[org.biouno:uno-choice] Stored XSS vulnerability in Jenkins Active Choices Plugin
Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission…
[org.jenkins-ci.main:jenkins-core] Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow a…
[org.jenkins-ci.main:jenkins-core] Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow a…