ghsa

### Impact Users using the VelaUX APIServer could be affected by this vulnerability. When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability. ### Patches For users who're using v1.6, please update the v1.6.1. For users who're using v1.5, please update the v1.5.8. ### References Fix by: #5000 ### For more information If you have any questions or comments about this advisory: * Open an issue in [KubeVela repo](https://github.com/kubevela/kubevela) * Email us at [here](https://github.com/kubevela/kubevela#contact-us)

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via the Nest library module.

Zenario CMS 9.3.57186 is is vulnerable to Cross Site Scripting (XSS) via profile.

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts.

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.