SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

CVE-2019-16294: Scintilla

Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Aqua Security Serverless Scanner Plugin
*   Beaker builder Plugin
*   Build Environment Plugin
*   Dashboard View Plugin
*   Git client Plugin
*   Script Security Plugin

**Descriptions****System command execution vulnerability in Git client Plugin**

**SECURITY-1534 / CVE-2019-10392**  
**Severity (CVSS):** High  
**Affected plugin: git-client**  
**Description:**

Git client Plugin accepts user-specified values as argument to an invocation of git ls-remote to validate the existence of a Git repository at the specified URL. This was implemented in a way that allowed attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.

Git client Plugin now rejects repository URLs that do not appear to be valid URLs. Additionally, for versions of Git that support it, the repository URL argument is separated from option arguments using the -- separator to prevent interpretation as an option.

As of publication of this advisory, no update for users of prerelease versions of 3.x such as 3.0.0-rc is available. Users of Git client Plugin 3.0.0-rc are advised to downgrade to 2.8.5 (and downgrade Git Plugin from 4.0.0-rc to the latest 3.x release to resolve dependency problems).

**Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1538 / CVE-2019-10393, CVE-2019-10394, CVE-2019-10399, CVE-2019-10400**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin could be circumvented through any of the following:

*   Crafted method names in method call expressions (CVE-2019-10393)
    
*   Crafted property names in property expressions on the left-hand side of assignment expressions (CVE-2019-10394)
    
*   Crafted property names in property expressions in increment and decrement expressions (CVE-2019-10399)
    
*   Crafted subexpressions in increment and decrement expressions not involving actual assignment (CVE-2019-10400)
    

This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are now subject to sandbox protection.

**Stored XSS vulnerability in Build Environment Plugin**

**SECURITY-1476 / CVE-2019-10395**  
**Severity (CVSS):** Medium  
**Affected plugin: build-environment**  
**Description:**

Build Environment Plugin did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission.

Jenkins applies the missing escaping by default since 2.146 and LTS 2.138.2, so newer Jenkins releases are not affected by this vulnerability.

Build Environment Plugin now escapes all variables displayed in its views.

**Stored XSS vulnerability in Dashboard View Plugin**

**SECURITY-1489 / CVE-2019-10396**  
**Severity (CVSS):** Medium  
**Affected plugin: dashboard-view**  
**Description:**

Dashboard View Plugin did not escape the build description on the Latest Builds View. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the description of builds shown on that view.

Dashboard View Plugin now applies the configured markup formatter to the build description, rendering it as it appears elsewhere in Jenkins.

**Aqua Security Serverless Scanner Plugin showed plain text password in job configuration form fields**

**SECURITY-1509 / CVE-2019-10397**  
**Severity (CVSS):** Low  
**Affected plugin: aqua-serverless**  
**Description:**

Aqua Security Serverless Scanner Plugin stores service passwords in job configurations.

While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Aqua Security Serverless Scanner Plugin no longer transmits the password form field in plain text.

**Beaker builder Plugin stored credentials in plain text**

**SECURITY-1545 / CVE-2019-10398**  
**Severity (CVSS):** Low  
**Affected plugin: beaker-builder**  
**Description:**

Beaker builder Plugin stored the Beaker password unencrypted on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

Beaker builder Plugin now stores these credentials encrypted.

**Severity**

*   SECURITY-1476: Medium
*   SECURITY-1489: Medium
*   SECURITY-1509: Low
*   SECURITY-1534: High
*   SECURITY-1538: High
*   SECURITY-1545: Low

**Affected Versions**

*   **Aqua Security Serverless Scanner Plugin** up to and including 1.0.4
*   **Beaker builder Plugin** up to and including 1.9
*   **Build Environment Plugin** up to and including 1.6
*   **Dashboard View Plugin** up to and including 2.11
*   **Git client Plugin** up to and including 2.8.4
*   **Script Security Plugin** up to and including 1.62

**Fix**

*   **Aqua Security Serverless Scanner Plugin** should be updated to version 1.0.5
*   **Beaker builder Plugin** should be updated to version 1.10
*   **Build Environment Plugin** should be updated to version 1.7
*   **Dashboard View Plugin** should be updated to version 2.12
*   **Git client Plugin** should be updated to version 2.8.5
*   **Script Security Plugin** should be updated to version 1.63

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Francesco Soncina - ABN AMRO Red Team - https://iwantmore.pizza** for SECURITY-1534
*   **James Holderness, IB Boost** for SECURITY-1509, SECURITY-1545
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1538
*   **Viktor Gazdag NCC Group** for SECURITY-1476, SECURITY-1489

CVE-2019-10392: Jenkins Security Advisory 2019-09-12

An issue was discovered in the chttp crate before 0.1.3 for Rust. There is a use-after-free during buffer conversion.

**RUSTSEC-2019-0016**

Use-after-free in buffer conversion implementation

Reported

September 1, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

chttp (crates.io)

Type

Vulnerability

Keywords

#memory-management #memory-corruption

Aliases

*   CVE-2019-16140
*   GHSA-5rrv-m36h-qwf8

References

*   https://github.com/sagebind/isahc/issues/2

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

*   >=0.1.3

Unaffected

*   <0.1.1

**Description**

The From implementation for Vec was not properly implemented, returning a vector backed by freed memory. This could lead to memory corruption or be exploited to cause undefined behavior.

A fix was published in version 0.1.3.

Advisory available under CC0-1.0 license.

CVE-2019-16140: Use-after-free in buffer conversion implementation › RustSec Advisory Database

CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.

*   Details
*   Reviews
*   Installation
*   Development

Sell tickets and collect RSVPs with the free Event Tickets plugin, from the team behind the number one calendar in WordPress.

This plugin makes it easy to sell tickets, collect registrations, and manage attendees for your in-person or virtual events. Plus, it comes with features backed by our world-class team of developers and designers. Easily integrate Event Tickets with your Stripe account or PayPal business account.

Connect to Stripe and take advantage of one of the world’s most popular payment gateways. Our Stripe integration lets you accept credit card payments on your website, along with additional payment methods including AfterPay, ClearPay, AliPay, Giropay, and Klarna.

See more videos on our YouTube channel

Easily connect to PayPal without any complicated API keys or code through our quick connection wizard in your WordPress backend. With just a few clicks, you can begin selling tickets and enable payment through PayPal, Venmo, and credit cards.

Even more, you can upgrade to Event Tickets Plus and unlock additional payment methods including digital wallets like ApplePay and Google Pay through Stripe, or use WooCommerce to take advantage of popular payment solutions including Braintree, Square, AmazonPay, and more.

**🎟️ Ticketing and Registration for WordPress**

See Event Tickets in action on our demo site. Just getting started? Check out the Getting Started Guide for an introduction to features, settings, and functionality.

Looking for additional features like custom registration fields, QR check-in, Zoom integration, and more? **Check out Event Tickets Plus and our other add-ons**.

**🔌🎨 Plug and Play or Customize**

Event Tickets is built to work out of the box. Just install the plugin, configure your settings, and start collecting RSVPs and selling tickets in minutes.

Add your own touch by using Event Tickets as the foundation for customization. Personalize to your heart’s content with the help of a skeleton stylesheet, partial template overrides, template tags, hooks and filters, careful documentation, and a library of free extensions.

Whether your vision is big or small, you’re in good company. Thousands of small businesses, musicians, venues, restaurants, and non-profits are increasing revenue from their in-person and virtual events with Event Tickets. Our plugins have also been scaled to work on large networks for Fortune 100 companies, universities, and government institutions.

**✨ Features**

✔️ Attendees can purchase tickets to events  
✔️ Attendees can RSVP to events  
✔️ Sell tickets with PayPal and/or Stripe using our free commerce solution, Tickets Commerce.  
✔️ Add RSVPs and tickets to posts, pages, or custom post types  
✔️ Collect ticket fees by connecting your PayPal business or Stripe account  
✔️ Generate sales and attendee reports  
✔️ Ticket stock countdown  
✔️ Automatic ticket confirmation emails  
✔️ Works out of the box with The Events Calendar  
✔️ Responsive design works on all devices  
✔️ Tested on the major theme frameworks such as Avada, Genesis, Kadence, Thesis and many more.  
✔️ Internationalized & translated  
✔️ Extensive template tags for customization  
✔️ Hooks & filters galore  
✔️ Library of extensions

Upgrade to Event Tickets Plus for full WooCommerce integration to use additional payment gateways.

**📃 Documentation**

All of our documentation can be found in our knowledgebase.

Additional helpful links:

*   Guide: Getting Started with Event Tickets
*   Installing Event Tickets Video
*   Using Tickets Commerce Video
*   Do I need Event Tickets or Event Tickets Plus?
*   How to Make Money with Virtual Events
*   Implementing Stripe on Event Tickets and Event Tickets Plus

If you have any questions about this plugin, you can post a thread in the WordPress.org forum. Please search existing threads before starting a new on

**➕ Add-Ons**

Take your calendar to the next level by pairing it with our plugins for ticketing, crowdsourcing, email marketing, and more. Learn more about all our products on our website.  
Our Free Plugins:  
📅 The Events Calendar  
📐 Advanced Post Manager

Our Premium Plugins and Services:

⚡ Events Calendar Pro  
↪️ Event Aggregator (service)  
🎟️ Event Tickets Plus  
✉️ Promoter  
👥 Community Events  
🎟️ Community Tickets  
✏️ Filter Bar  
🗓️ Eventbrite Tickets  
📡 Virtual Events

**Help**

If you aren’t familiar with Event Tickets, check out our Getting Started Guide. It will have you creating tickets in no time.

Ready to dig deeper? Check out these resources:

*   Tutorials
*   Known Issues
*   Help Videos
*   Release Notes

We check in on the Event Tickets forum here on WordPress.org about once a week to help users with basic troubleshooting and identifying bugs. If you’re looking for premium, personalized support, consider upgrading to Event Tickets Plus.

Still have a question? Shoot us an email at support@theeventscalendar.com.

**Translate**

Event Tickets is translated into multiple languages, including German, Danish, and Dutch. Help localize Event Tickets even further by adding your locale – visit translate.wordpress.org.

1.  From the dashboard of your site, navigate to Plugins –> Add New.
2.  Select the Upload option and hit “Choose File.”
3.  When the popup appears select the event-tickets.x.x.zip file from your desktop. (The ‘x.x’ will change depending on the current version number).
4.  Follow the on-screen instructions and wait as the upload completes.
5.  When it’s finished, activate the plugin via the prompt. A message will show confirming activation was successful.
6.  For access to new updates, make sure you have added your valid License Key under Tickets –> Settings –> Licenses.

**Are there any troubleshooting steps I should try before I post a new thread in the support forum?**

First, make sure that you’re running the latest version of Event Tickets. If you’ve got any other add-ons, make sure those are current and running the latest code as well. Also be sure to check our knowledgebase.

The most common issues we see are either plugin or theme conflicts. You can test if a plugin or theme is conflicting by manually deactivating other plugins until just Event Tickets is running on your site. If the issue persists, revert to the default Twenty Twenty theme. If the issue is resolved after deactivating a specific plugin or your theme, you’ll know that is the source of the conflict.

Note that we aren’t going to say “tough luck” if you identify a plugin/theme conflict. While we can’t guarantee 100% integration with any plugin or theme out there, we will do our best (and reach out the plugin/theme author as needed) to figure out a solution that benefits everyone.

**I’m still stuck. Where do I go to file a bug or ask a question?**

Free plugin users can post in the Event Tickets support forum on WordPress.org. Our team reviews that forum weekly to look for bug reports.

If you’re already an Event Tickets Plus subscriber, you’re entitled to our actively-monitored Premium Support on our website. Generally, except in times of increased support loads, we reply to all premium support tickets within 24 hours during the business week.

**What’s the difference between Event Tickets and Events Tickets Plus?**

Event Tickets is our free ticketing plugin that has all the basics you need to sell tickets and collect RSVPs on your website. You can use Event Tickets with or without The Events Calendar.

Event Tickets Plus is a premium plugin that runs alongside Event Tickets and enhances it with extra features, including custom registration fields, shortcodes, WooCommerce integration, enhanced Stripe functionality for Stripe for Tickets Commerce, our mobile ticketing app and more.

Read more to learn which plugin is right for you.

**Do I need The Events Calendar to run Event Tickets?**

Nope! Event Tickets works with or without The Events Calendar. Even if you don’t have The Events Calendar, you can create RSVPs and tickets on WordPress pages and posts.

**Can I email attendees using Event Tickets?**

Yes. Event Tickets automatically sends an email confirmation after attendees register or RSVP for an event. If the attendee purchases a ticket, the confirmation email will also provide a ticket to scan at the door for admission.

**What add-ons are available for Event Tickets, and where can I read more about them?**

The following add-ons are available for The Events Calendar:

*   Events Calendar Pro, for adding premium calendar features like recurring events, advanced views, cool widgets, shortcodes, additional fields, and more!
*   Event Aggregator, a service that effortlessly fills your calendar with events from Meetup, Google Calendar, iCalendar, Eventbrite, CSV, and ICS.
*   Virtual Events, which optimizes your calendar for virtual events including Zoom integration, video and livestream embeds, SEO optimization for online events and more.
*   Event Tickets Plus, which allows you to sell tickets for your events using your favorite e-commerce platform.
*   Promoter, automated email communication made just for The Events Calendar and Event Tickets. Stay in touch with your attendees every step of the way.
*   Community Events, for allowing frontend event submission from your readers.
*   Community Tickets, which allows event organizers to sell tickets to the events they submit via Community Events.
*   Filter Bar, for adding advanced frontend filtering capabilities to your events calendar.
*   Eventbrite Tickets, for selling tickets to your event directly through Eventbrite.

**I have a feature idea. What’s the best way to tell you about it?**

We’ve got a LoopedIn page where we’re actively watching for feature ideas from the community. Vote up existing feature requests or add your own, and help us shape the future of the products business in a way that best meets the community’s needs.

**I’ve still got questions. Where can I find answers?**

Check out our extensive knowledgebase for articles on using, tweaking, and troubleshooting our plugins.

Both my client and myself are very disappointed with the modernization process of TEC + Tickets Pro to the Block Editor. Every step has been painful for over 6 months. We’ll be replacing this with a competing plugin.

Email support was good. Apart from referring to the manuals, as they should, they still investigated further and gave us a solution for our problem. Well done!

So many bug when it comes to payment and support is so so so slow. I am losing sales because to this. Using Stripe: Apple pay freezes No Way to turn off Apple Pay, turning it off doesnt save Can't validate webhook Support keeps asking me to create a staging to test, sure, but they take a week to reply. Some support staff even told me they have no experience with apple pay and it is not their feature, i mean...come on...its right there in your setting

Followed the documentation, but cannot get Stripe to validate webhook. Read other support threads and have confirmed that everything is in order as per the documentation. I was testing out the plugin, but given the time wasted, there is no way I will continue to use it to sell tickets if the free version which includes a 2% fee doesn't work, why would I bother upgrading to the premium version. Seem to much of a risk. Also, looking at people comments, it seems support is slow (they are constantly away from the office/out of the office. Look at other plugins out there.

Constant issues. Nearly impossible to make work. Stops working for no apparent reason. I make websites, used probably hundreds of different plugins over the years. This is in the top 5 worst. There is an easy/user friendly way to do things. This plugin does the opposite in nearly every avenue.

Despite having over 18 months of warning from EDD that their plugin needed updating, they have failed to make any progress whatsoever. They use incompatible, depreciated methods which means tickets sold do not have the attendees details saved, just the purchaser. If I could give this negative stars, I would.

Read all 130 reviews

“Event Tickets and Registration” is open source software. The following people have contributed to this plugin.

Contributors

**\[5.5.8\] 2023-02-22**

*   Version – Event Tickets 5.5.8 is only compatible with The Events Calendar 6.0.10 and higher.
*   Version – Event Tickets 5.5.8 is only compatible with Event Tickets Plus 5.6.7 and higher.
*   Tweak – PHP version compatibility bumped to PHP 7.4
*   Tweak – Version Composer updated to 2
*   Tweak – Version Node updated to 18.13.0
*   Tweak – Version NPM update to 8.19.3
*   Tweak – Reduce JavaScript bundle sizes for Blocks editor

**\[5.5.7\] 2023-02-09**

*   Enhancement – Added currency format options to alter currency decimal separator, thousand separator, and number of decimal places. \[ET-1608\]
*   Tweak – Updated Currency options in Tickets Commerce settings for Croatian users from Kuna (HRK) to Euro (EUR). \[ET-1625\]
*   Tweak – Updated Attendee Registration Fields upsell notice to only display in admin dashboard. \[CT-67\]
*   Fix – Resolve provisional IDs properly on the event edit screen for ticket management actions. \[ET-1632\]
*   Fix – Fixed Ticket Commerce cart cookies not getting saved. \[ET-1629\]
*   Language – 28 new strings added, 189 updated, 5 fuzzied, and 3 obsoleted

**\[5.5.6\] 2023-01-16**

*   Tweak – Updated the settings description for stock handling options. \[ET-1603\]
*   Tweak – Added the tribe-tickets__tickets-item--shared-capacity wrapper class for tickets having shared capacity. \[ETP-841\]
*   Tweak – Added a dashboard notice for sites running PHP versions lower than 7.4 to alert them that the minimum version of PHP is changing to 7.4 in February 2023.
*   Enhancement – Added search capabilities to the Tickets Commerce Orders report page. \[ET-1259\]
*   Fix – Allow loading attendance page with event_id params that use The Events Calendar provisional IDs. \[ET-1624\]
*   Language – 4 new strings added, 43 updated, 0 fuzzied, and 2 obsoleted

**\[5.5.5\] 2022-12-08**

*   Fix – Remove need for Platform Controls to verify webhook signatures in Stripe. \[ET-1508\]
*   Fix – Fixed the order of tickets in an event changing when you haven’t manually requested it. \[ET-1568\]
*   Fix – Fixed shared capacity tickets only showing the lowest capacity between the shared pool tickets. \[ETP-815\]
*   Tweak – Removed locale param for Tickets Commerce JS SDK as per PayPal recommendation. \[ET-1615\]
*   Language – 110 new strings added, 193 updated, 5 fuzzied, and 24 obsoleted

**\[5.5.4\] 2022-11-09**

*   Fix – Fixes multiple of the same ticket form being on the same page being out of sync. \[GTRIA-729\]
*   Fix – Added a JS event that checks for attendee label validation if ET+ is active. \[ETP-803\]

**\[5.5.3\] 2022-10-31**

*   Fix – Orderby param not working for Attendee archive REST API. \[ET-1591\]
*   Fix – Properly save the check-in details for attendees on check-in. \[ETP-819\]
*   Fix – TicketsCommerce ticketed events not showing up for Events REST API. \[ET-1567\]
*   Fix – Update version of Firebase/JWT in Common from 5.x to 6.3.0
*   Enhancement – Added support for name and email param for searching in Attendee archive REST API. \[ET-1591\]
*   Enhancement – Add template tag to properly check if The Events Calendar is active. \[ETP-820\]
*   Enhancement – Add attendance information to the events REST API endpoint. \[ET-1580\]
*   Enhancement – Add check_in argument support for attendees REST API endpoint. \[ET-1588\]
*   Language – 0 new strings added, 18 updated, 0 fuzzied, and 0 obsoleted

**\[5.5.2\] 2022-10-20**

*   Fix – Update version of Firebase/JWT in Common from 5.x to 6.3.0

**\[5.5.1\] 2022-09-22**

*   Fix – Listing tickets is no longer limited by the global settings. \[ET-1584\]
*   Fix – Correct parameter type hinting when param can be null. \[ET-1582\]
*   Fix – Showing Checkout not available and credit card fields at the same time for PayPal gateway in TicketsCommerce. \[ETP-812\]
*   Language – 0 new strings added, 1 updated, 0 fuzzied, and 0 obsoleted

**\[5.5.0\] 2022-09-06**

*   Version – Event Tickets 5.5.0 is only compatible with The Events Calendar 6.0.0 and higher.
*   Version – Event Tickets 5.5.0 is only compatible with Event Tickets Plus 5.6.0 and higher.
*   Enhancement – Adds a compatibility layer to work with the new Recurrence Backend Engine in TEC/ECP.
*   Language – 4 new strings added, 49 updated, 0 fuzzied, and 3 obsoleted

See changelog for all versions

CVE-2019-16120: Event Tickets and Registration

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

CVE-2019-16056: Issue 34155: [CVE-2019-16056] email.utils.parseaddr mistakenly parse an email

A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

**Summary**

A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

**Tested Versions**

Epignosis eFront LMS v5.2.12

**Product URLs**

https://www.efrontlearning.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-502 - Deserialization of Untrusted Data

**Details**

Cisco Talos discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.

The following proof of concept demonstrates the issue:

    POST /audiences/add/1 HTTP/1.1
    Host: [IP]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[IP]/audiences/add/1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 168
    DNT: 1
    Connection: close
    Cookie: PHPSESSIDfb411=aaaaaaaa;
    Upgrade-Insecure-Requests: 1
    
    ratio=undefined&_qf__audience_properties_form=&qfS_csrf=abc&name=[UNSERIALIZED DATA]&description=jh&active=1&branches_ID=&submit=Add
    

The following code is responsible for all observed unsafe unserializations:

    205     public function set($property, $value, $type = null) {
    206         // $this->$property translates to the variable name, for example $this->_name or $this->_address:
    207         if ($value !== $this->$property) {
    208             // The default type to check against is 'generic', which cuts off non-scalar values:
    209             !empty($type) OR $type = 'generic';
    210
    211             if (!empty($value) && BaseModel::checkParameter($value, $type) === false) {
    212                 throw new EfrontException("Invalid type '{$type}' for '{$property}'");
    213             }
    214
    215             if ($value && $type == 'generic' && @unserialize($value) === false) {
    216                 $value = htmlspecialchars(strip_tags($value), ENT_COMPAT, 'UTF-8',false);
    217             } else if ($value && $type == 'wysiwig') {
    218                 $value = TemplateController::purify($value);
    219             }
    220
    221             $this->$property = $value;
    222             $this->_must_persist = true;
    223         }
    224
    225         return $this;
    226     }
    

Forms submitted to the following URLs were discovered to be vulnerable:

    http://[IP]/Banners/add/1 [name parameter]
    http://[IP]/Glossary/add/1 [term parameter]
    http://[IP]/RandomDataPopulator/add/1 [name parameter]
    http://[IP]/audiences/add/1 [name parameter]
    http://[IP]/branches/add/1 [name parameter]
    http://[IP]/categories/add/1 [name parameter]
    http://[IP]/certificates/add/1 [name parameter]
    http://[IP]/curriculums/add/1 [name parameter]
    http://[IP]/discussions/course-id/180/add-topic/1/popup/1 [title parameter]
    http://[IP]/jobs/add/1 [name parameter]
    http://[IP]/payments/op/price_tracks/add/1 [discount_type parameter]
    http://[IP]/reports/op/courses [filter_name parameter]
    http://[IP]/skill-tests/add/1/quick-add/1 [name parameter]
    http://[IP]/skills/add/1 [name parameter]
    

**Timeline**

2019-07-29 - Vendor disclosure  
2019-07-31 - Vendor acknowledged issues under review  
2019-08-13 - Vendor acknowledged work to fix issues & testing  
2019-08-30 - Vendor patched/released new version  
2019-09-03 - Public disclosure

CVE-2019-5069: TALOS-2019-0858 || Cisco Talos Intelligence Group

In FreeBSD 12.0-STABLE before r350637, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350638, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bsnmp library is not properly validating the submitted length from a type-length-value encoding. A remote user could cause an out-of-bounds read or trigger a crash of the software such as bsnmpd resulting in a denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

============================================================================FreeBSD-SA-19:20.bsnmp                                      Security Advisory  
                                                          The FreeBSD Project

Topic:          Insufficient message length validation in bsnmp library

Category:       contrib  
Module:         bsnmp  
Announced:      2019-08-06  
Credits:        Guido Vranken <guidovranken@gmail.com>  
Affects:        All supported versions of FreeBSD.  
Corrected:      2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE)  
                2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9)  
                2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE)  
                2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2)  
                2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13)  
CVE Name:       CVE-2019-5610

For general information regarding FreeBSD Security Advisories,  
including descriptions of the fields above, security branches, and the  
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The bsnmp software library is used for the Internet SNMP (Simple Network  
Management Protocol).  As part of this it includes functions to handle ASN.1  
(Abstract Syntax Notation One).

II.  Problem Description

A function extracting the length from type-length-value encoding is not  
properly validating the submitted length.

III. Impact

A remote user could cause, for example, an out-of-bounds read, decoding of  
unrelated data, or trigger a crash of the software such as bsnmpd resulting  
in a denial of service.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

Upgrade your vulnerable system to a supported FreeBSD stable or  
release / security branch (releng) dated after the correction date.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64  
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch  
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable  
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the  
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch  
# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc  
# gpg --verify bsnmp.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src  
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as  
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each  
affected branch.

Branch/path                                                      Revision  
- -------------------------------------------------------------------------  
stable/12/                                                        r350637  
releng/12.0/                                                      r350646  
stable/11/                                                        r350638  
releng/11.3/                                                      r350646  
releng/11.2/                                                      r350646  
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the  
following command, replacing NNNNNN with the revision number, on a  
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5610>

The latest revision of this advisory is available at  
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc>  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD  
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n  
5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v  
XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL  
K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3  
7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2  
1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D  
dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V  
TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI  
GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS  
9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN  
1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20DEm  
AOAcYzLhiXHGpniE5y+MT9Pvt3BDBt36k6WgZ4eZ4RWuzGOumiU=rH6X  
-----END PGP SIGNATURE-----

CVE-2019-5610: FreeBSD Security Advisory - FreeBSD-SA-19:20.bsnmp ≈ Packet Storm

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Deprecated: IBM AppScan Plugin
*   Splunk Plugin

**Descriptions****Stored XSS vulnerability in update center**

**SECURITY-1453 / CVE-2019-10383**

Jenkins did not properly escape the update site URL in some status messages shown in the update center, resulting in a stored cross-site scripting vulnerability that is exploitable by administrators and affects other administrators.

Jenkins now escapes the update site URL in status messages shown in the update center.

**CSRF protection tokens for anonymous users did not expire in some circumstances**

**SECURITY-1491 / CVE-2019-10384**

Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory. This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the following constraints:

*   The token had to be created for the anonymous user (and could only be used for actions the anonymous user can perform).
    
*   The victim’s IP address needed to remain unchanged (unless the proxy compatibility option was enabled).
    
*   The victim must not have a valid web session at the time of the attack.
    

CSRF token generation now creates a web session if none exists yet, so that the lack of a web session ID cannot be exploited.

This fix may impact scripts that obtain a crumb from the crumb issuer API. They may need to be updated to retain the session ID for subsequent requests. For further information, see the LTS upgrade guide.

As a workaround, administrators can remove any permissions granted to the anonymous user so that no privileged actions can be taken. Alternatively, the Strict Crumb Issuer Plugin can be used instead of the built-in default crumb issuer to prevent this issue, because the vulnerability is not present in the plugin.

**Sandbox Bypass in Splunk Plugin**

**SECURITY-1294 / CVE-2019-10390**

Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST transforming annotations such as @Grab to source code elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.

**Deprecated: IBM AppScan Plugin showed plain text password in job configuration form fields**

**SECURITY-1512 / CVE pending**

Deprecated: IBM AppScan Plugin stores service passwords in job configurations.

While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Deprecated: IBM AppScan Plugin no longer transmits the password form field in plain text.

**Severity**

*   SECURITY-1294: High
*   SECURITY-1453: Medium
*   SECURITY-1491: High
*   SECURITY-1512: low

**Affected Versions**

*   Jenkins weekly up to and including 2.191
*   Jenkins LTS up to and including 2.176.2
*   **Deprecated: IBM AppScan Plugin** up to and including 1.2.4
*   **Splunk Plugin** up to and including 1.7.4

**Fix**

*   Jenkins weekly should be updated to version 2.192
*   Jenkins LTS should be updated to version 2.176.3
*   **Deprecated: IBM AppScan Plugin** should be updated to version 1.2.5
*   **Splunk Plugin** should be updated to version 1.8.0

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **James Holderness, IB Boost** for SECURITY-1512
*   **Jesper den Boer** for SECURITY-1453

CVE-2019-10384: Jenkins Security Advisory 2019-08-28

A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.

CVE-2019-10383: Jenkins Security Advisory 2019-08-28

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

Tag

#perl