MODERATE

[fat_free_crm] Fat Free CRM vulnerable to Exposure of Sensitive Information

Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224.
References

…

[fat_free_crm] Fat Free CRM vulnerable to SQL Injection

Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.
References
…

[fat_free_crm] Fat Free CRM allows remote attackers to obtain sensitive information via a direct request

Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.
References

https://nvd.nist.gov/vuln/detail/CVE-2013-72…

[fat_free_crm] Fat Free CRM contains Cross-site Request Forgery vulnerablilities

Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controlle…

[fat_free_crm] Fat Free CRM subject to Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) c…

[sup] Sup Code Injection vulnerability

lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment.
References

https://nvd.nist.gov/vuln/detail/CVE-2013…

[org.jboss.resteasy:resteasy-client] JacksonJsonpInterceptor susceptible to cross-site script inclusion (XSSI) attack

JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.
References

https://nvd.nist.gov/vuln/detail/CVE-2016-6348
https://bugzilla.redhat.com/show_bug.cgi?id=1372129
https://github.com/a…

[org.jenkins-ci.plugins:docker-commons] Jenkins Docker Commons Plugin allows any user with Overall/Read permission to get list of valid credentials IDs

Docker Commons Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they’d like to use to authenticate with a Docker Registry. This functionality did not check permissions, allowing any user with Overal…

[org.jenkins-ci.plugins:github-branch-source] Jenkins GitHub Branch Source Plugin vulnerable to Cross-Site Request Forgery

GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any us…

[ccsv] ccsv Double Free vulnerability

The foreach function in ext/ccsv.c in Ccsv 1.1.0 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact via a crafted file.
References

https://nvd.nist.gov/vuln/detail/CVE-201…

TechMedia

Featured

[vitess.io/vitess] vitess allows users to create keyspaces that can deny access to already existing keyspaces

[github.com/answerdev/answer] Answer vulnerable to account takeover because password reset links do not expire

[thorsten/phpmyfaq] thorsten/phpmyfaq vulnerable to improper access control

[thorsten/phpmyfaq] thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via updatecategory parameter