This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25896
https://github.com/jaredhanson/passport/pull/900
https://gi…
All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the –upload-pack feature of git.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25900
https://gist.github.com/lirantal/9441f3a1212728476f7a6caa4acb2c…
deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’).
References
https://nvd.nist.gov/vuln/detail/CVE-2021-40663
https://github.com/janbialostok/deep-assign/is…
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the tagName property of an Ember.View was inserted into such a string without being sanitized. This means that if a…
Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Je…
Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
Reference…
Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system….
Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-34801
https://www.jenki…
Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-34793
https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2000
https:/…
Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
References
https://nvd.n…
