Security
Headlines
HeadlinesLatestCVEs

Tag

#maven

CVE-2022-34183: Jenkins Security Advisory 2022-06-22

Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE
Open in Source
#xss#csrf#vulnerability#web#java#auth#maven
CVE-2022-34207: Jenkins Security Advisory 2022-06-22

A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL.

CVE-2022-34204: Jenkins Security Advisory 2022-06-22

A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

CVE-2022-34179: Jenkins Security Advisory 2022-06-22

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system.

CVE-2022-33114: SQL injection vulnerability exists in JFinal CMS 5.1.0 · Issue #38 · jflyfox/jfinal_cms

Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list.

GHSA-qmx3-m648-hr74: Log Injection in Apache Sling Commons Log and Apache Sling API

Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.

CVE-2022-26173: JForum2 / Wiki / NewFeatures281

JForum v2.8.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via http://target_host:port/jforum-2.8.0/jforum.page, which allows attackers to arbitrarily add admin accounts.

Taking down the IP2Scam tech support campaign

Tech support scams follow a simple business model that has not changed much over the years. After all, why change a recipe that continues to yield large profits. We see countless such campaigns and block them indiscriminately to protect our customers from being defrauded by a fraudulent tech support agent over the phone. Every now... The post Taking down the IP2Scam tech support campaign appeared first on Malwarebytes Labs.

GHSA-gm48-83x4-84jg: Server-side request forgery in Apache Dubbo

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.

CVE-2022-29784: 安全漏洞修复 感谢 姜洋-长亭科技 · sanluan/PublicCMS@d8d7626

PublicCMS V4.0.202204.a and below contains an information leak via the component /views/directive/sys/SysConfigDataDirective.java.