MODERATE

[org.jenkins-ci.plugins:icescrum] Jenkins iceScrum Plugin vulnerable to Cross-site Request Forgery

A cross-site request forgery vulnerability in Jenkins iceScrum Plugin prior to version 1.1.6 allows attackers to connect to an attacker-specified URL using attacker-specified credentials. This issue is patched in version 1.1.6
References

https://nvd.n…

[org.jenkins-ci.plugins:depgraph-view] Jenkins Dependency Graph Viewer Plugin contains Cross-site Scripting

A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
References

…

[io.jenkins.plugins:embeddable-build-status-plugin] Jenkins Embeddable Build Status Plugin contains Cross-site Scripting

A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin.
References

https://nvd.nist.gov/vuln/detail/CVE-2019-10…

[fat_free_crm] Fat Free CRM Cross-site Scripting vulnerability

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.
References

https://nvd.nist.gov/vuln/detail/CVE-2019-10226
http://packetstormsecurity.com/files/152263/Fat-Free-CR…

[cakephp/cakephp] CakePHP 1.3.7 allows remote attackers to obtain sensitive information via a direct request to a .php file

CakePHP 1.3.7 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by dispatcher.php and certain other files.
References

https://nvd.nist….

[spree] Spree does not properly restrict the use of a hash to provide values for a model’s attributes

Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model’s attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a “mass assignment” vuln…

[spree_auth_devise] spree_auth_devise allows remote authenticated users to assign arbitrary roles to themselves

app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
References

https…

[cakephp/cakephp] CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
References

https://nvd.nist.gov/v…

[sup] Sup Code Injection vulnerability

Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment.
References

https://nvd.nist.gov/vuln/detail/CVE-2013-4478
https://github.com/sup-heli…

[fat_free_crm] Fat Free CRM has fixed token value

config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.
References

…

TechMedia

Featured

[vitess.io/vitess] vitess allows users to create keyspaces that can deny access to already existing keyspaces

[github.com/answerdev/answer] Answer vulnerable to account takeover because password reset links do not expire

[thorsten/phpmyfaq] thorsten/phpmyfaq vulnerable to improper access control

[thorsten/phpmyfaq] thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via updatecategory parameter