Security
Headlines
HeadlinesLatestCVEs

Tag

#ssrf

CVE-2022-34797: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials.

CVE
Open in Source
#xss#csrf#vulnerability#web#cisco#git#java#xpath#ssrf#auth
CVE-2022-34800: Jenkins Security Advisory 2022-06-30

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-26135: [JRASERVER-73863] Full Read SSRF in Mobile Plugin CVE-2022-26135

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

GHSA-pf6p-25r2-fx45: Server-Side Request Forgery in dompdf/dompdf

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.

CVE-2022-0085: Add a default context · dompdf/dompdf@bb1ef65

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.

APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor

Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. Targets include

CVE-2022-0624: Authorization Bypass Through User-Controlled Key in parse-path

Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.

CVE-2017-20106

A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

GHSA-7f3x-x4pr-wqhj: Server-Side Request Forgery in parse-url

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.