Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   AWS CodeCommit Trigger Plugin
*   Checkmarx Plugin
*   Digital.ai App Management Publisher Plugin
*   Dimensions Plugin
*   Maven Repository Server Plugin
*   Sonargraph Integration Plugin
*   Team Concert Plugin
*   Template Workflows Plugin

**Descriptions****CSRF protection bypass vulnerability**

**SECURITY-3135 / CVE-2023-35141**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs.

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint (e.g., the Script Console) by opening a context menu.

As of publication of this advisory, we are aware of insufficiently escaped context menu URLs for label expressions, allowing attackers with Item/Configure permissions to exploit this vulnerability.

Jenkins 2.400, LTS 2.401.1 sends GET requests to load the list of context actions.

**SSL/TLS certificate validation disabled by default in Checkmarx Plugin**

**SECURITY-2870 / CVE-2023-35142**  
**Severity (CVSS):** Medium  
**Affected plugin: checkmarx**  
**Description:**

Checkmarx Plugin allows to globally enable or disable SSL/TLS validation for connections to the Checkmarx server. Checkmarx Plugin 2022.4.3 and earlier disables it by default. Unless changed by an administrator, it would cause all connections to the Checkmarx server to ignore SSL/TLS validation, thereby enabling potential man-in-the-middle attacks.

Checkmarx Plugin 2023.2.6 enables SSL/TLS validation by default. Administrators who do not want SSL/TLS validation for connections to the Checkmarx server to be disabled are advised to review their configuration.

**Missing permission checks in Team Concert Plugin**

**SECURITY-2932 / CVE pending**  
**Severity (CVSS):** Medium  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

**Missing permission check in Dimensions Plugin allows enumerating credentials IDs**

**SECURITY-3138 / CVE-2023-32261**  
**Severity (CVSS):** Medium  
**Affected plugin: dimensionsscm**  
**Description:**

Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.

**Exposure of system-scoped credentials in Dimensions Plugin**

**SECURITY-3143 / CVE-2023-32262**  
**Severity (CVSS):** Medium  
**Affected plugin: dimensionsscm**  
**Description:**

Dimensions Plugin 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Dimensions Plugin 0.9.3.1 defines the appropriate context for credentials lookup.

**Stored XSS vulnerability in Maven Repository Server Plugin**

**SECURITY-3156 / CVE-2023-35143**  
**Severity (CVSS):** High  
**Affected plugin: repository**  
**Description:**

Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in pom.xml.

**Stored XSS vulnerability in Maven Repository Server Plugin**

**SECURITY-2951 / CVE-2023-35144**  
**Severity (CVSS):** High  
**Affected plugin: repository**  
**Description:**

Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change project or build display names.

**Stored XSS vulnerability in Sonargraph Integration Plugin**

**SECURITY-3155 / CVE-2023-35145**  
**Severity (CVSS):** High  
**Affected plugin: sonargraph-integration**  
**Description:**

Sonargraph Integration Plugin 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Stored XSS vulnerability in Template Workflows Plugin**

**SECURITY-3166 / CVE-2023-35146**  
**Severity (CVSS):** High  
**Affected plugin: template-workflows**  
**Description:**

Template Workflows Plugin 41.v32d86a\_313b\_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

**Arbitrary file read vulnerability in AWS CodeCommit Trigger Plugin**

**SECURITY-3099 / CVE-2023-35147**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin allows downloading activity logs of AWS Simple Queue Service (SQS) queues.

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the queue name path parameter in the corresponding HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

**CSRF vulnerability and missing permission checks in Digital.ai App Management Publisher Plugin**

**SECURITY-2911 / CVE-2023-35148 (CSRF), CVE-2023-35149 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ease-plugin**  
**Description:**

Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2870: Medium
*   SECURITY-2911: Medium
*   SECURITY-2932: Medium
*   SECURITY-2951: High
*   SECURITY-3099: Medium
*   SECURITY-3135: High
*   SECURITY-3138: Medium
*   SECURITY-3143: Medium
*   SECURITY-3155: High
*   SECURITY-3156: High
*   SECURITY-3166: High

**Affected Versions**

*   **Jenkins weekly** up to and including 2.399
*   **Jenkins LTS** up to and including 2.387.3
*   **AWS CodeCommit Trigger Plugin** up to and including 3.0.12
*   **Checkmarx Plugin** up to and including 2022.4.3
*   **Digital.ai App Management Publisher Plugin** up to and including 2.6
*   **Dimensions Plugin** up to and including 0.9.3
*   **Maven Repository Server Plugin** up to and including 1.10
*   **Sonargraph Integration Plugin** up to and including 5.0.1
*   **Team Concert Plugin** up to and including 2.4.1
*   **Template Workflows Plugin** up to and including 41.v32d86a\_313b\_4a

**Fix**

*   **Jenkins weekly** should be updated to version 2.400
*   **Jenkins LTS** should be updated to version 2.401.1
*   **Checkmarx Plugin** should be updated to version 2023.2.6
*   **Dimensions Plugin** should be updated to version 0.9.3.1
*   **Team Concert Plugin** should be updated to version 2.4.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AWS CodeCommit Trigger Plugin
*   Digital.ai App Management Publisher Plugin
*   Maven Repository Server Plugin
*   Sonargraph Integration Plugin
*   Template Workflows Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3143, SECURITY-3155, SECURITY-3156, SECURITY-3166
*   **CC Bomber, Kitri BoB** for SECURITY-2951
*   **Daniel Beck, CloudBees Inc.** for SECURITY-2870
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2932
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3135, SECURITY-3138
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2911
*   **Tony Torralba (@atorralba), GitHub Security Lab** for SECURITY-3099

CVE-2023-35145: Jenkins Security Advisory 2023-06-14

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability.

CVE-2023-35144: Jenkins Security Advisory 2023-06-14

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

CVE-2023-35141: Jenkins Security Advisory 2023-06-14

Jenkins Template Workflows Plugin 41.v32d86a_313b_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

CVE-2023-35146: Jenkins Security Advisory 2023-06-14

Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.

CVE-2023-35142: Jenkins Security Advisory 2023-06-14

A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

CVE-2023-35149: Jenkins Security Advisory 2023-06-14

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions.

This blog post is about the WooCommerce Stripe Gateway plugin vulnerability. If you’re a WooCommerce Stripe Gateway user, please update the plugin to at least version **7.4.1**.

**Patchstack Developer and Business users are protected from the vulnerability.** You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

**About the WooCommerce Stripe Gateway WordPress plugin**

The plugin WooCommerce Stripe Gateway (versions **7.4.0** and below, free version), which has over 900,000 active installations is known as the most popular WooCommerce Stripe payment plugin in WordPress. This plugin is developed by WooCommerce.

This plugin is a WordPress plugin which allows you to accept payments directly on a store for web and mobile. With the plugin, customers can stay on the store during checkout instead of being redirected to an externally hosted checkout page.

This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability allows any unauthenticated user to view any WooCommnerce order’s PII data including email, user’s name, and full address. The described vulnerability was fixed in version **7.4.1** with some backported fixed version and assigned **CVE-2023-34000**.

Find out more from the Patchstack database.

The first underlying vulnerability is located on javascript_params function :

    public function javascript_params() {
        global $wp;
    
        $order_id = absint( get_query_var( 'order-pay' ) );
    
        $stripe_params = [
            'title'                    => $this->title,
            'key'                      => $this->publishable_key,
            'i18n_terms'               => __( 'Please accept the terms and conditions first', 'woocommerce-gateway-stripe' ),
            'i18n_required_fields'     => __( 'Please fill in required checkout fields first', 'woocommerce-gateway-stripe' ),
            'updateFailedOrderNonce'   => wp_create_nonce( 'wc_stripe_update_failed_order_nonce' ),
            'updatePaymentIntentNonce' => wp_create_nonce( 'wc_stripe_update_payment_intent_nonce' ),
            'orderId'                  => $order_id,
            'checkout_url'             => WC_AJAX::get_endpoint( 'checkout' ),
        ];
    
        // If we're on the pay page we need to pass stripe.js the address of the order.
        if ( isset( $_GET['pay_for_order'] ) && 'true' === $_GET['pay_for_order'] ) { // wpcs: csrf ok.
            $order_id = wc_clean( $wp->query_vars['order-pay'] ); // wpcs: csrf ok, sanitization ok, xss ok.
            $order    = wc_get_order( $order_id );
    
            if ( is_a( $order, 'WC_Order' ) ) {
                $stripe_params['billing_first_name'] = $order->get_billing_first_name();
                $stripe_params['billing_last_name']  = $order->get_billing_last_name();
                $stripe_params['billing_address_1']  = $order->get_billing_address_1();
                $stripe_params['billing_address_2']  = $order->get_billing_address_2();
                $stripe_params['billing_state']      = $order->get_billing_state();
                $stripe_params['billing_city']       = $order->get_billing_city();
                $stripe_params['billing_postcode']   = $order->get_billing_postcode();
                $stripe_params['billing_country']    = $order->get_billing_country();
            }
        }
    -----------------------------------------------------------------------------------------

Notice that the code will fetch an order object to $order variable using the $order_id variable. The $order_id variable is constructed from $wp->query_vars['order-pay']. According to the query\_vars documentation, this hook could be used to fetch parameter from the GET parameters.

The code then will construct a $stripe_params variable with details from the $order object such as user’s full name and full address. There is no orders ownership check on the rest of the function code and the function will return $order as an object.

When traced, the javascript_params variable could be called from the payment_scripts function:

    public function payment_scripts() {
    -----------------------------------------------------------------------------------------
    wp_localize_script(
        'woocommerce_stripe',
        'wc_stripe_params',
        apply_filters( 'wc_stripe_params', $this->javascript_params() )
    );
    -----------------------------------------------------------------------------------------

The wp\_localize\_script function will return a JavaScript object variable to the front-end. The overall function call could be triggered from the site’s front page and the order’s PII disclosure will be reflected back into the page source.

The second vulnerable code exist in the payment_fields function:

    public function payment_fields() {
        global $wp;
        $user                 = wp_get_current_user();
        $display_tokenization = $this->supports( 'tokenization' ) && is_checkout() && $this->saved_cards;
        $total                = WC()->cart->total;
        $user_email           = '';
        $description          = $this->get_description();
        $description          = ! empty( $description ) ? $description : '';
        $firstname            = '';
        $lastname             = '';
    
        // If paying from order, we need to get total from order not cart.
        if ( isset( $_GET['pay_for_order'] ) && ! empty( $_GET['key'] ) ) { // wpcs: csrf ok.
            $order      = wc_get_order( wc_clean( $wp->query_vars['order-pay'] ) ); // wpcs: csrf ok, sanitization ok.
            $total      = $order->get_total();
            $user_email = $order->get_billing_email();
        } else {
            if ( $user->ID ) {
                $user_email = get_user_meta( $user->ID, 'billing_email', true );
                $user_email = $user_email ? $user_email : $user->user_email;
            }
        }
    
        if ( is_add_payment_method_page() ) {
            $firstname = $user->user_firstname;
            $lastname  = $user->user_lastname;
        }
    
        ob_start();
    
        echo '<div
            id="stripe-payment-data"
            data-email="' . esc_attr( $user_email ) . '"
            data-full-name="' . esc_attr( $firstname . ' ' . $lastname ) . '"
            data-currency="' . esc_attr( strtolower( get_woocommerce_currency() ) ) . '"
        >';

The condition is the same as the first vulnerable code, there is no orders ownership check on the code and the function will output the billing email and user’s full name to the front-end.

**The patch in WooCommerce Stripe Gateway**

Since the issue is mainly because of the code not validating the fetched order ownership, checking the endpoint using the is_valid_pay_for_order_endpoint function which will check the order based on the key and ownership should fix the issue. The two patches could be seen here and here :

**Conclusion**

One of the critical flow for WooCommerce related plugin is handling order object. In many cases, order object is referenced from user input that is coming from WordPress query\_vars. Make sure to always check access control around order object by checking the order key and ownership.

**Disclosure timeline of the vulnerability**

**17 April 2023** – We found the vulnerability and reached out to the plugin vendor.  
**30 May 2023** – WooCommerce Stripe Gateway version **7.4.1** was published to patch the reported issues.  
****13 June 2023**** – Added the vulnerabilities to the Patchstack vulnerability database.  
********13 June 2023******** – Published the article.

**Help us make the internet a safer place**

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

*   If you’re a **plugin developer**, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
*   If you’re a **security researcher**, join Patchstack Alliance to report vulnerabilities & earn rewards.

CVE-2023-34000: Vulnerability in WooCommerce Stripe Gateway Plugin - Patchstack

Online Examination System Project version 1.0 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF)# Google Dork: n/a# Date: 09/06/2023# Exploit Author: Ramil Mustafayev (kryptohaker)# Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Version: 1.0# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28# CVE : n/aOnline Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.To exploit this vulnerability, an attacker needs to do the following:1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example:<html>  <body>    <form action="http://example.com/update.php" method="GET">      <input type="hidden" name="demail" value="victim@example.com" />    </form>    <script>      document.forms[0].submit();    </script>  </body></html>4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html5. Send the URL of the HTML page to the admin user via email, social media, or any other means.If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.

Online Examination System Project 1.0 Cross Site Request Forgery

Piyanas version 0.1 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : Piyanas v0.1 User Login Page CSRF Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://www.piyanassystem.com/                                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : /add_user.php[+] Use Payload : /admin/add_user.php[+]  http://127.0.0.1/piyanassystemcom/piyanasmember/admin/add_user.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Piyanas 0.1 Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) vulnerability in Ali Irani Auto Upload Images plugin <= 3.3 versions allows Stored Cross-Site Scripting (XSS).

**Solution**

Fixed 

Update the WordPress Auto Upload Images plugin to the latest available version (at least 3.3.1).

Rasi discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Auto Upload Images Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 3.3.1.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-42880: WordPress Auto Upload Images plugin <= 3.3 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) - Patchstack

Tag

#csrf