Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties.
References
https://nvd.nist.gov/vuln/de…
Jenkins rhnpush-plugin Plugin 0.5.1 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker…
A cross-site request forgery (CSRF) vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials sto…
Impact
Persistent XSS in customer module
Patches
We recommend updating to the current version 5.7.14. You can get the update to 5.7.14 regularly via the Auto-Updater or directly via the download overview.
For older versions you can use the Security Plu…
Impact
Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request mo…
Cross-site Scripting (XSS) – Reflected in GitHub repository beancount/fava prior to 1.22.2.
The query_string parameter of Fava is vulnerable to reflected cross-site scripting, for which a attacker can modify any information that the user is able to mod…
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected cross-site scripting due to the lack of escaping of error messages which contained the parameters in verbatim.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2514
…
The package grapesjs before 0.19.5 is vulnerable to Cross-site Scripting (XSS) due to an improper sanitization of the class name in Selector Manager.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-21802
https://github.com/artf/grapesjs/issues/44…
A command injection vulnerability affects all versions of the deprecated package google-cloudstorage-commands.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-28436
https://github.com/samradical/google-cloudstorage-commands/blob/master/index.js%2…
All versions of package git-archive are vulnerable to Command Injection via the exports function.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-28422
https://security.snyk.io/vuln/SNYK-JS-GITARCHIVE-1050391
https://github.com/advisories/GHSA-vq…
