βΌ CVE-2022-23059 βΌ
π Read
via "National Vulnerability Database".
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions v2.0.2 through v2.17.0 via the Γ’β¬ΕManage ImagesΓ’β¬οΏ½ tab, which allows an attacker to upload a SVG file containing malicious JavaScript code.π Read
via "National Vulnerability Database".
π1
ποΈ HTML parser bug triggers Chromium XSS security flaw ποΈ
π Read
via "The Daily Swig".
Websites thought to be XSS-protected could have been unintentionally exposed to XSS attacks in Chrome sessionsπ Read
via "The Daily Swig".
portswigger.net
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.
β Exchange Servers Speared in IcedID Phishing Campaign β
π Read
via "Threat Post".
The ever-evolving malware shows off new tactics that use email thread hijacking and other obfuscation techniques to provide advanced evasion techniques.π Read
via "Threat Post".
Threat Post
Exchange Servers Speared in IcedID Phishing Campaign
The ever-evolving malware shows off new tactics that use email thread hijacking and other obfuscation techniques to provide advanced evasion techniques.
βοΈ Hackers Gaining Power of Subpoena Via Fake βEmergency Data Requestsβ βοΈ
π Read
via "Krebs on Security".
There is a terrifying and highly effective "method" that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can't wait for a court order because it relates to an urgent matter of life and death.π Read
via "Krebs on Security".
Krebs on Security
Hackers Gaining Power of Subpoena Via Fake βEmergency Data Requestsβ
There is a terrifying and highly effective "method" that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied toβ¦
π΄ Exploring the Intersection of Physical Security and Cybersecurity π΄
π Read
via "Dark Reading".
Residential, commercial, and public buildings are getting smarter; fitting them with a network of connected systems allows buildings to regulate their environment, save energy, and be more secure.π Read
via "Dark Reading".
Dark Reading
Exploring the Intersection of Physical Security and Cybersecurity
Residential, commercial, and public buildings are getting smarter; fitting them with a network of connected systems allows buildings to regulate their environment, save energy, and be more secure.
βΌ CVE-2022-28149 βΌ
π Read
via "National Vulnerability Database".
Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of the secondary owners, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28159 βΌ
π Read
via "National Vulnerability Database".
Jenkins Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28138 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28145 βΌ
π Read
via "National Vulnerability Database".
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in a stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission or otherwise able to control report contents.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28137 βΌ
π Read
via "National Vulnerability Database".
A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28134 βΌ
π Read
via "National Vulnerability Database".
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28158 βΌ
π Read
via "National Vulnerability Database".
A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28152 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default ownership of a job.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28135 βΌ
π Read
via "National Vulnerability Database".
Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28139 βΌ
π Read
via "National Vulnerability Database".
A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28146 βΌ
π Read
via "National Vulnerability Database".
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28142 βΌ
π Read
via "National Vulnerability Database".
Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28148 βΌ
π Read
via "National Vulnerability Database".
The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Item/Read permission to obtain the contents of arbitrary files on Windows controllers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28133 βΌ
π Read
via "National Vulnerability Database".
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28140 βΌ
π Read
via "National Vulnerability Database".
Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28155 βΌ
π Read
via "National Vulnerability Database".
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.π Read
via "National Vulnerability Database".