βΌ CVE-2022-34791 βΌ
π Read
via "National Vulnerability Database".
Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34782 βΌ
π Read
via "National Vulnerability Database".
An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34784 βΌ
π Read
via "National Vulnerability Database".
Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34810 βΌ
π Read
via "National Vulnerability Database".
A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34781 βΌ
π Read
via "National Vulnerability Database".
Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34778 βΌ
π Read
via "National Vulnerability Database".
Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34800 βΌ
π Read
via "National Vulnerability Database".
Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-34797 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34809 βΌ
π Read
via "National Vulnerability Database".
Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34805 βΌ
π Read
via "National Vulnerability Database".
Jenkins Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34811 βΌ
π Read
via "National Vulnerability Database".
A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to access the XPath Configuration Viewer page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33326 βΌ
π Read
via "National Vulnerability Database".
Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/config_rollback/` API is affected by a command injection vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33087 βΌ
π Read
via "National Vulnerability Database".
A stack overflow in the function DM_ In fillobjbystr() of TP-Link Archer C50&A5(US)_V5_200407 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31115 βΌ
π Read
via "National Vulnerability Database".
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. The problem has been patched in opensearch-ruby gem version 2.0.1. Users are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33082 βΌ
π Read
via "National Vulnerability Database".
An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33085 βΌ
π Read
via "National Vulnerability Database".
ESPCMS P8 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the fetch_filename function at \espcms_public\espcms_templates\ESPCMS_Templates.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2274 βΌ
π Read
via "National Vulnerability Database".
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2279 βΌ
π Read
via "National Vulnerability Database".
NULL Pointer Dereference in GitHub repository bfabiszewski/libmobi prior to 0.11.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2280 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.π Read
via "National Vulnerability Database".
ποΈ Latest web hacking tools β Q3 2022 ποΈ
π Read
via "The Daily Swig".
We take a look at the latest additions to security researchersβ armoryπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Latest web hacking tools β Q3 2022
We take a look at the latest additions to security researchersβ armory
βΌ CVE-2022-34894 βΌ
π Read
via "National Vulnerability Database".
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted servicesπ Read
via "National Vulnerability Database".