An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only…
[hermes-engine] Out-of-bounds Read and Out-of-bounds Write in Facebook Hermes
An out-of-bounds read/write vulnerability when executing lazily compiled inner generator functions in Facebook Hermes prior to commit 091835377369c8fd5917d9b87acffa721ad2a168 allows attackers to potentially execute arbitrary code via crafted JavaScript…
[hermes-engine] Access of Resource Using Incompatible Type in Facebook Hermes
A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook Hermes prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows attackers to potentially execute arbitrary code vi…
[org.jenkins-ci.main:jenkins-core] Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via ‘Trigger builds remotely’, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure per…
[org.jenkins-ci.main:jenkins-core] Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2229
https://jenkins.io/security…
[org.jenkins-ci.main:jenkins-core] Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
References
https://nvd.nist…
[org.jenkins-ci.plugins:matrix-auth] Improper Neutralization of Input During Web Page Generation in Jenkins Matrix Authorization Strategy Plugin
Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-2226
https://jenkins.i…
[org.apache.activemq:artemis-commons] nsufficiently Protected Credentials in ActiveMQ Artemis
A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the resetUsers operation. A l…
[strapi] Improper Input Validation in strapi
Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerabili…
[org.springframework.batch:spring-batch-core] Deserialization of Untrusted Data in Spring Batch
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known “deserialization gadgets”. Spring Batch configures Jackson w…