Monthly Archive: March 2019

A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin. Date published :...

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. Date published : 2019-03-28 http://www.securityfocus.com/bid/107628 https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. Date published : 2019-03-28 http://www.securityfocus.com/bid/107628 https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353

A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users’...

In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user’s session. No information could be saved on the server or jspwiki database, nor would an attacker be able...

In Apache ActiveMQ 5.0.0 – 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. Date published : 2019-03-28 http://www.securityfocus.com/bid/107622 http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt

In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of...

Systems using the Marel Food Processing Systems Pluto platform do not restrict remote access. Marel has created an update for Pluto-based applications. This update will restrict remote access by implementing SSH authentication. Date published...

In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library. Date published : 2019-03-27 https://bugs.eclipse.org/bugs/show_bug.cgi?id=533775...

A potential security vulnerability caused by incomplete obfuscation of application configuration information was discovered in Tommy Hilfiger TH24/7 Android app versions 2.0.0.11, 2.0.1.14, 2.1.0.16, and 2.2.0.19. HP has no access to customer data as...

A potential security vulnerability caused by the use of insecure (http) transactions during login has been identified with early versions of the Isaac Mizrahi Smartwatch mobile app. HP has no access to customer data...

phpFK lite has XSS via the faq.php, members.php, or search.php query string or the user.php user parameter. Date published : 2019-03-27 http://seclists.org/fulldisclosure/2019/Jul/15 http://packetstormsecurity.com/files/153591/phpFK-lite-version-Cross-Site-Scripting.html

HP Support Assistant before 8.7.50.3 allows an unauthorized person with local access to load arbitrary code. Date published : 2019-03-27 https://support.hp.com/us-en/document/c06242762

A potential vulnerability has been identified in HP Remote Graphics Software’s certificate authentication process version 7.5.0 and earlier. Date published : 2019-03-27 https://support.hp.com/us-en/document/c06201418