Security
Headlines
HeadlinesLatestCVEs

Tag

#js

CVE-2023-28675: Jenkins Security Advisory 2023-03-21

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

CVE
Open in Source
#xss#csrf#vulnerability#js#java#rce#perl#ssrf#auth
CVE-2023-28680: Jenkins Security Advisory 2023-03-21

Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28669: Jenkins Security Advisory 2023-03-21

Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

CVE-2023-28684: Jenkins Security Advisory 2023-03-21

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28682: Jenkins Security Advisory 2023-03-21

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-1800: ForCVE/2023-0x05.md at main · yangyanglo/ForCVE

A vulnerability, which was classified as critical, has been found in sjqzhang go-fastdfs up to 1.4.3. Affected by this issue is the function upload of the file /group1/uploa of the component File Upload Handler. The manipulation leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224768.

GHSA-5x5q-8cgm-2hjq: Karate has vulnerable dependency on json-smart package (CVE-2023-1370)

### Summary Karate has vulnerable dependency on the package [net.minidev:json-smart](https://github.com/netplex/json-smart-v1). More information is available at https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258. ![image](https://user-images.githubusercontent.com/2663049/229081854-1155c041-56fa-48ca-a7ff-f2f085b845fd.png) ### How to fix it Very simple, just upgrade json-path package to 2.8.0 (from 2.7.0) inside karate-core pom.xml ;)

CVE-2022-47192: [Update 03/03/2023] Multiple vulnerabilities in Generex UPS CS141

Generex UPS CS141 below 2.06 version, could allow a remote attacker to upload a backup file containing a modified "users.json" to the web server of the device, allowing him to replace the administrator password.

CVE-2023-28843: refs #36741 · 202ecommerce/paypal@2f6884e

PrestaShop/paypal is an open source module for the PrestaShop web commerce ecosystem which provides paypal payment support. A SQL injection vulnerability found in the PrestaShop paypal module from release from 3.12.0 to and including 3.16.3 allow a remote attacker to gain privileges, modify data, and potentially affect system availability. The cause of this issue is that SQL queries were being constructed with user input which had not been properly filtered. Only deployments on PrestaShop 1.6 are affected. Users are advised to upgrade to module version 3.16.4. There are no known workarounds for this vulnerability.

Threat Roundup for March 24 to March 31

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key