Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java
References
https://nvd.nist.gov/vuln/detail/CVE-2020-10991
https://github.com/mulesoft/apikit/issues/547
https://github.com/advisories/GHSA-jffq-528j-mp6c
[org.jenkins-ci.main:jenkins-core] Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.
References
https://nvd.nist.gov/vuln/detail/…
[org.jenkins-ci.main:jenkins-core] Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2162
https:…
[org.jenkins-ci.main:jenkins-core] Cross-Site Request Forgery in Jenkins
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2…
[org.jenkins-ci.main:jenkins-core] Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define …
[dot] Improper Control of Generation of Code in doT
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-81…
[blamer] Improper Neutralization of Special Elements used in an OS Command in Blamer
Blamer versions prior to 1.0.1 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of the arguments provided to blamer.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10807
https://snyk.io/vuln/SNYK-JS-BLA…
[org.jenkins-ci.plugins:git] Improper Neutralization of Input During Web Page Generation in Jenkins Git Plugin
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2136
…
[com.mobileenerlytics.eagle.tester:eagle-tester] Plaintext Storage of a Password in Jenkins Eagle Tester Plugin
Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
References
https://nvd.nist.gov/vuln/detail/CVE-2…
[org.jenkins-ci.plugins.workflow:workflow-cps] Improper Input Validation in Jenkins Pipeline: Groovy Plugin
Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2109
https://jenkins.io/security/advisory…