Jenkins Google Calendar Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CVE-2019-10425: Jenkins Security Advisory 2019-09-25

Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin.

CVE-2019-10407: Jenkins Security Advisory 2019-09-25

Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

CVE-2019-10416: Jenkins Security Advisory 2019-09-25

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).

CVE-2019-10401: Jenkins Security Advisory 2019-09-25

Jenkins Call Remote Job Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CVE-2019-10422: Jenkins Security Advisory 2019-09-25

Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

CVE-2019-10430: Jenkins Security Advisory 2019-09-25

Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CVE-2019-10426: Jenkins Security Advisory 2019-09-25

res_pjsip_t38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference.

Asterisk Project Security Advisory - AST-2019-004

 

**Product**

Asterisk

**Summary**

Crash when negotiating for T.38 with a declined stream

**Nature of Advisory**

Remote Crash

**Susceptibility**

Remote Authenticated Sessions

**Severity**

Minor

**Exploits Known**

No

**Reported On**

August 05, 2019

**Reported By**

Alexei Gradinari

**Posted On**

September 05, 2019

**Last Updated On**

September 4, 2019

**Advisory Contact**

kharwell AT sangoma DOT com

**CVE Name**

CVE-2019-15297

 

**Description**

When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk.

**Modules Affected**

res\_pjsip\_t38.c

 

**Resolution**

If T.38 faxing is not required then setting the “t38\_udptl” configuration option on the endpoint to “no” disables this functionality. This option defaults to “no” so you have to have explicitly set it “yes” to potentially be affected by this issue.

Otherwise, if T.38 faxing is required then Asterisk should be upgraded to a fixed version.

  

**Affected Versions**

**Product**

**Release Series**

Asterisk Open Source

15.x

All releases

Asterisk Open Source

16.x

All releases

 

**Corrected In**

**Product**

**Release**

Asterisk Open Source

15.7.4,16.5.1

 

**Patches**

**SVN URL**

**Revision**

http://downloads.asterisk.org/pub/security/AST-2019-004-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2019-004-16.diff

Asterisk 16

 

**Links**

https://issues.asterisk.org/jira/browse/ASTERISK-28495

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-004.pdf and http://downloads.digium.com/pub/security/AST-2019-004.html

  

**Revision History**

**Date**

**Editor**

**Revisions Made**

August 28, 2019

Kevin Harwell

Initial revision

Asterisk Project Security Advisory - AST-2019-004  
Copyright © 2019 Digium, Inc. All Rights Reserved.  
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

CVE-2019-15297: AST-2019-004

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Cross Site Scripting
    version             : 0.9.8.837
    Fixed on            : 0.9.8.851
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13476
    

  
**Description**

User add "New Mail box" with payload XSS without validation

  
**Reproduce**

1.  In user panel and browse to https://192.168.242.135:2083/cwp\_1a73dced77d0eb7f/test1/?module=email\_accounts or Click at Email Accounts under the Email Accounts and click it again like image below

  

2.  Click "Add a New MailBox"

  

3.  Fill the information

  

4.  Use BurpSuite for Intercept request then modified parameter "domain" to payloads XSS

  

5.  We can added email success the parameter "domain" without input validate

  

6.  In the List of mailbox user it's not exist after add email with xss payload, but in the admin panel added success

  

7.  Let's see in the panel admin Click Email --> Email Accounts we can see the xss payload

  

8.  Click any the button such as Change Password, Suspend, Delete XSS payload will be Executed

  

9.  In this example I'll tried to Click Change Password, XSS will be executed

!

**Timeline**

    2019-06-05: Discovered the bug
    2019-06-05: Reported to vendor
    2019-06-05: Vender accepted the vulnerability
    2019-07-17: The vulnerability has been fixed
    2019-08-20: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee
    Nissana Sirijirakal 
    Narin Boonwasanarak

CVE-2019-13476: CentOS-Control-Web-Panel-CVE/CVE-2019-13476.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Cross Site Scripting
    version             : 0.9.8.837
    Fixed on            : 0.9.8.851
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13476
    

  
**Description**

CVE-2019-13476 (XSS) + CVE-2019-13477 (CSRF) Can change password no need to know current password

  
**Reproduce**

1.  login as normal user

  

2.  Click at Email Accounts under the Email Accounts and click it again like image below

  

3.  Click add "New MailBox"

  

4.  add "New mail" and intercept request (use Burp suite for intercept request)

  

5.  Insert payload at parameter "domain" then click "intercept is on" in burp suite

  

6.  Payload added success (in mail box panel user it's doesn't exist after add payload XSS but in panel admin it's will exist)

Script change password (PoC.php)

  

7.  Login as user root (victim) user : root pass : P@ssw0rd

  

8.  After login we will see the left side tap and click at "Email" then click "Email Accounts" under "Email" like image below

  

9.  We can see payload

  

10.  Click any button such as Change Password, Suspend, Delete after click Payload will be executed.

  

11.  After click it's will be redirect and password has been changed password is "AttackerPassword"

  

12.  try to login with old password "P@ssw0rd" we got login failed (image below)

  

13.  Login as root and new password "AttackerPassword"

  

14.  Login success

**Timeline**

    2019-06-05: Discovered the bug
    2019-06-05: Reported to vendor
    2019-06-05: Vender accepted the vulnerability
    2019-07-17: The vulnerability has been fixed
    2019-08-20: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee
    Nissana Sirijirakal 
    Narin Boonwasanarak

Tag

#jira