Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-27665: What's New in WS_FTP Server 2020.0.0 (8.7.0)

Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

CVE
Open in Source
#sql#xss#csrf#vulnerability#web#mac#windows#microsoft#redis#js#git#java#oracle#intel#auth#ssh#postgres#chrome#firefox#sap
CVE-2023-26529: WordPress DupeOff plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DupeOff.Com DupeOff plugin <= 1.6 versions.

Super FabriXss: an RCE vulnerability in Azure Service Fabric Explorer

Categories: Exploits and vulnerabilities Categories: News Tags: Azure Tags: Microsoft Tags: Super FabriXss Tags: RCE Tags: vulnerability Tags: CVE-2023-23383 Researchers disclosed how they found a remote code execution vulnerability in Azure Service Fabric Explorer. (Read more...) The post Super FabriXss: an RCE vulnerability in Azure Service Fabric Explorer appeared first on Malwarebytes Labs.

GHSA-j927-269r-96xw: Jenkins Cppcheck Plugin vulnerable to stored cross-site scripting (XSS)

Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

GHSA-v27q-87jf-j9cr: Jenkins Pipeline Aggregator View Plugin vulnerable to Cross-site Scripting

Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view’s URL in inline JavaScript. This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission. Pipeline Aggregator View Plugin 1.14 obtains the current URL in a way not susceptible to XSS.

GHSA-xj29-gfww-j67g: Jenkins JaCoCo Plugin vulnerable to Stored Cross-site Scripting

JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action. JaCoCo Plugin 3.3.2.1 escapes class and method names shown on the UI.

CVE-2023-28671: Jenkins Security Advisory 2023-03-21

A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-28681: Jenkins Security Advisory 2023-03-21

Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28675: Jenkins Security Advisory 2023-03-21

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

CVE-2023-28680: Jenkins Security Advisory 2023-03-21

Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.