Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
References
https://nvd.nist…
Awesome spawn prior to version 1.2.0 contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. If untrusted input was included in command arguments, attacker could use this flaw to …
An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-33082
https://github.com/open-policy-agent/opa/issue…
ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
Refe…
Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2252
https://github.com/microweber/microweber/commit/187e949daf7dea6f10b80da70988f0f86444eeff
https://huntr.dev/bounties/4d3…
Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2073
https://githu…
Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. Draft protected images can be published by changing an exis…
Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-41559
https://github.com/FriendsOfPHP/sec…
SilverStripe Framework through 4.10.8 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in proje…
SilverStripe Framework 4.x prior to 4.10.9 is vulnerable to cross-site scripting inside the href attribute of an HTML hyperlink, which can be added to website content via XMLHttpRequest (XHR) by an authenticated CMS user.
References
https://github.com…
