Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-2wvv-phhw-qvmc: Jenkins Pipeline: Job Plugin vulnerable to stored Cross-site Scripting

Jenkins Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately. The Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability, as the build name must be set before the build starts. Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build that caused an earlier build to be aborted.

ghsa
Open in Source
#xss#vulnerability#git#java#maven
CVE-2023-2196: Jenkins Security Advisory 2023-05-16

A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.

CVE-2023-2633: Jenkins Security Advisory 2023-05-16

Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them.

Kiddoware Kids Place Parental Control Android App 3.8.49 XSS / CSRF / File Upload

Kiddoware Kids Place Parental Control Android App versions 3.8.49 and below suffer from weak hashing, cross site request forgery, cross site scripting, and arbitrary file upload vulnerabilities.

GaanaGawaana Music Platform PHP Script 1.0 Cross Site Scripting / SQL Injection

GaanaGawaana Music Platform PHP Script version 1.0 suffers from cross site scripting and remote SQL injection vulnerabilities.

CVE-2023-2740: CVE/XSS.md at main · xryj920/CVE

A vulnerability, which was classified as problematic, has been found in SourceCodester Guest Management System 1.0. Affected by this issue is some unknown functionality of the file dateTest.php of the component GET Parameter Handler. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-229160.

CVE-2023-32999: Jenkins Security Advisory 2023-05-16

A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

CVE-2023-33002: Jenkins Security Advisory 2023-05-16

Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2023-33000: Jenkins Security Advisory 2023-05-16

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier does not mask credentials displayed on the configuration form, increasing the potential for attackers to observe and capture them.

CVE-2023-33005: Jenkins Security Advisory 2023-05-16

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.