Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’

Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.

Wired
Open in Source
#vulnerability#web#intel#auth#sap
GHSA-q92v-3f4w-5xg8: Jenkins Applitools Eyes Plugin vulnerability exposes unencrypted keys to certain authenticated users

Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

GHSA-2g8w-9933-36vr: Jenkins Warrior Framework Plugin vulnerability exposes unencrypted passwords to certain authenticated users

Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

GHSA-jmrv-rxgr-phvr: Jenkins Applitools Eyes Plugin vulnerability does not mask API keys on its job configuration form

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

GHSA-56h7-r62c-83qp: Jenkins Xooa Plugin vulnerability exposes unencrypted tokens to authenticated users

Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

GHSA-w4xv-mj6v-p4g2: Jenkins User1st uTester Plugin vulnerability exposes unencrypted token to authenticated users

Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

GHSA-8gp3-m447-gw2v: Jenkins VAddy Plugin vulnerability exposes plaintext keys on its job configuration form

Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

GHSA-23j7-px3w-jwp2: Jenkins Xooa Plugin vulnerability does not mask its Xooa Deployment Token

Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it.

GHSA-884f-p57j-f258: Jenkins ReadyAPI Functional Testing Plugin vulnerability stores unencrypted authentication credentials

Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These credentials can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

GHSA-r496-x769-f8j4: Jenkins ReadyAPI Functional Testing Plugin vulnerability exposes secrets

Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These credentials can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.