Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’

Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.

Wired
Open in Source
#vulnerability#web#intel#auth#sap
GHSA-q92v-3f4w-5xg8: Jenkins Applitools Eyes Plugin vulnerability exposes unencrypted keys to certain authenticated users

Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

GHSA-2g8w-9933-36vr: Jenkins Warrior Framework Plugin vulnerability exposes unencrypted passwords to certain authenticated users

Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

GHSA-jmrv-rxgr-phvr: Jenkins Applitools Eyes Plugin vulnerability does not mask API keys on its job configuration form

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

GHSA-56h7-r62c-83qp: Jenkins Xooa Plugin vulnerability exposes unencrypted tokens to authenticated users

Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

GHSA-w4xv-mj6v-p4g2: Jenkins User1st uTester Plugin vulnerability exposes unencrypted token to authenticated users

Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

GHSA-8gp3-m447-gw2v: Jenkins VAddy Plugin vulnerability exposes plaintext keys on its job configuration form

Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

GHSA-23j7-px3w-jwp2: Jenkins Xooa Plugin vulnerability does not mask its Xooa Deployment Token

Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it.

GHSA-8wp4-r84g-gcmw: Jenkins Testsigma Test Plan vulnerability exposes API keys via job configuration form

Jenkins Testsigma Test Plan run Plugin stores Testsigma API keys in job `config.xml` files on the Jenkins controller as part of its configuration. While these API keys are stored encrypted on disk, in Testsigma Test Plan run Plugin 1.6 and earlier, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

GHSA-jxwj-qccf-4896: Jenkins IFTTT Build Notifier Plugin vulnerability exposes IFTTT Maker Channel Keys

Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix.