Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to...
A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users....
A cross-site request forgery vulnerability in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers to change the per-job default graph configuration for all users. Date published...
An issue was discovered in Weaver e-cology 9.0. There is a CRLF Injection vulnerability via the /workflow/request/ViewRequestForwardSPA.jsp isintervenor parameter, as demonstrated by the %0aSet-cookie: substring. Date published : 2019-04-30 https://www.weaver.com.cn/cs/securityDownload.asp https://expzh.com/Weaver-e-cology9.0-CRLF-Injection.pdf
An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to...
In Apache Archiva 2.0.0 – 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run...
In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin...
Apache Camel’s File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected. Date published : 2019-04-30 http://www.securityfocus.com/bid/108181...
esoTalk 1.0.0g4 has XSS via the PATH_INFO to the conversations/ URI. Date published : 2019-04-29 https://github.com/esotalk/esoTalk/issues/444 https://lists.openwall.net/full-disclosure/2015/12/23/13
parse_string in cJSON.c in cJSON before 2016-10-02 has a buffer over-read, as demonstrated by a string that begins with a " character and ends with a character. Date published : 2019-04-29 https://github.com/DaveGamble/cJSON/commit/94df772485c92866ca417d92137747b2e3b0a917 https://github.com/DaveGamble/cJSON/issues/30
A third party website can access information available to a user with access to a restricted bug entry using the image generation in report.cgi in all Bugzilla versions prior to 4.4. Date published :...
IBM API Connect 2018.1 and 2018.4.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 155078. Date published : 2019-04-29 http://www.ibm.com/support/docview.wss?uid=ibm10874952 https://exchange.xforce.ibmcloud.com/vulnerabilities/155078
IBM Jazz Reporting Service (JRS) 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to...
IBM Emptoris Contract Management 10.0.0 and 10.1.3.0 could disclose sensitive information from detailed information from error messages. IBM X-Force ID: 153657. Date published : 2019-04-29 https://www.ibm.com/support/docview.wss?uid=ibm10731107 https://exchange.xforce.ibmcloud.com/vulnerabilities/153657