GitHub

MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across users in a remote-transform use case. Version 1.4.5 contains a patch.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-12889
https://github.com/MISP/MISP-maltego/commit/3ccde66dab…

A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnera…

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the pa…

Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being ge…

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the –info log level flag, the Gradle Logger logs an AW…

Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java
References

https://nvd.nist.gov/vuln/detail/CVE-2020-10991
https://github.com/mulesoft/apikit/issues/547
https://github.com/advisories/GHSA-jffq-528j-mp6c

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define …

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2…

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2162
https:…

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.
References

https://nvd.nist.gov/vuln/detail/…