π¨ CVE-2025-24400
Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.
π@cveNotify
Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.
π@cveNotify
Jenkins Security Advisory 2025-01-22
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software
π¨ CVE-2025-24401
Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.
π@cveNotify
Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.
π@cveNotify
Jenkins Security Advisory 2025-01-22
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software
π¨ CVE-2025-24402
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method.
π@cveNotify
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method.
π@cveNotify
Jenkins Security Advisory 2025-01-22
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software
π¨ CVE-2025-24403
A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins.
π@cveNotify
A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins.
π@cveNotify
Jenkins Security Advisory 2025-01-22
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software
π¨ CVE-2025-0619
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords
π@cveNotify
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords
π@cveNotify
π¨ CVE-2024-52552
Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
π@cveNotify
Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
π@cveNotify
Jenkins Security Advisory 2024-11-13
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software
π¨ CVE-2024-52554
Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection.
π@cveNotify
Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection.
π@cveNotify
Jenkins Security Advisory 2024-11-13
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software
π¨ CVE-2024-54003
Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.
π@cveNotify
Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.
π@cveNotify
Jenkins Security Advisory 2024-11-27
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software
π¨ CVE-2024-54004
Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.
π@cveNotify
Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.
π@cveNotify
Jenkins Security Advisory 2024-11-27
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software
π¨ CVE-2024-54745
WAVLINK WN701AE M01AE_V240305 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
π@cveNotify
WAVLINK WN701AE M01AE_V240305 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
π@cveNotify
colorful-meadow-5b9 on Notion
WN701AE_HardCode_vuln | Notion
Overview
π¨ CVE-2024-54747
WAVLINK WN531P3 202383 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
π@cveNotify
WAVLINK WN531P3 202383 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
π@cveNotify
colorful-meadow-5b9 on Notion
WN531P3_HardCode_vuln | Notion
Overview
π¨ CVE-2014-6278
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
π@cveNotify
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
π@cveNotify
jvn.jp
JVN#55667175: QNAP QTS vulnerable to OS command injection
Japan Vulnerability Notes
π¨ CVE-2015-7755
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.
π@cveNotify
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.
π@cveNotify
Ars Technica
βUnauthorized codeβ in Juniper firewalls decrypts encrypted VPN traffic
Backdoor in NetScreen firewalls gives attackers admin access, VPN decrypt ability.
π¨ CVE-2017-1000353
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
π@cveNotify
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
π@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
π¨ CVE-2025-4008
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C.
This web interface exposes an endpoint that is vulnerable to command injection.
Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
π@cveNotify
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C.
This web interface exposes an endpoint that is vulnerable to command injection.
Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
π@cveNotify
π¨ CVE-2025-5511
A vulnerability, which was classified as critical, has been found in quequnlong shiyi-blog up to 1.2.1. This issue affects some unknown processing of the file /dev api/app/album/photos/. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A vulnerability, which was classified as critical, has been found in quequnlong shiyi-blog up to 1.2.1. This issue affects some unknown processing of the file /dev api/app/album/photos/. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
GitHub
javasec/shiyi-blog.md at main Β· uglory-gll/javasec
Contribute to uglory-gll/javasec development by creating an account on GitHub.
π¨ CVE-2025-5512
A vulnerability, which was classified as critical, was found in quequnlong shiyi-blog up to 1.2.1. Affected is an unknown function of the file /api/sys/user/verifyPassword/ of the component Administrator Backend. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A vulnerability, which was classified as critical, was found in quequnlong shiyi-blog up to 1.2.1. Affected is an unknown function of the file /api/sys/user/verifyPassword/ of the component Administrator Backend. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
GitHub
javasec/shiyi-blog.md at main Β· uglory-gll/javasec
Contribute to uglory-gll/javasec development by creating an account on GitHub.
π¨ CVE-2025-11241
The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. This vulnerability allows a user with Contributor access or higher to create a post containing a malicious JavaScript payload.
π@cveNotify
The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. This vulnerability allows a user with Contributor access or higher to create a post containing a malicious JavaScript payload.
π@cveNotify
Yoast developer portal
Yoast SEO Premium 26.0 changelog | Yoast developer portal
This is the changelog for version 26.0 of Yoast SEO Premium.
π₯2
π¨ CVE-2025-0616
Authorization Bypass Through User-Controlled Key vulnerability in Teknolojik Center Telecommunication Industry Trade Co. Ltd. B2B - Netsis Panel allows SQL Injection.This issue affects B2B - Netsis Panel: through 20251003.
π@cveNotify
Authorization Bypass Through User-Controlled Key vulnerability in Teknolojik Center Telecommunication Industry Trade Co. Ltd. B2B - Netsis Panel allows SQL Injection.This issue affects B2B - Netsis Panel: through 20251003.
π@cveNotify
π¨ CVE-2025-11223
Installer of
Panasonic
AutoDownloader
version 1.2.8
contains an issue with the DLL search path, which may lead to loading
a crafted DLL file in the same directory.
π@cveNotify
Installer of
Panasonic
AutoDownloader
version 1.2.8
contains an issue with the DLL search path, which may lead to loading
a crafted DLL file in the same directory.
π@cveNotify
π₯1
π¨ CVE-2024-1228
Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations.
This issue affects Eurosoft Przychodnia software before version 20240417.001 (from that version vulnerability is fixed).
π@cveNotify
Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations.
This issue affects Eurosoft Przychodnia software before version 20240417.001 (from that version vulnerability is fixed).
π@cveNotify
cert.pl
Vulnerabilities in medical clinics software
Vulnerabilities have been detected in the Eurosoft Przychodnia, drEryk Gabinet and SimpleCare software, involving the use of the same, hard-coded password for the database. The vulnerabilities were assigned identifiers CVE-2024-1228, CVE-2024-3699 and CVEβ¦