| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unquoted Search Path in Maxthon 5.1.0 to 5.2.7 Browser for Windows. |
| An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack. |
| A cross-site request forgery vulnerability in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes service account token or credentials stored in Jenkins. |
| A cross-site request forgery vulnerability in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
| A cross-site request forgery vulnerability in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers to connect to an attacker-specified web server. |
| A cross-site request forgery vulnerability in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. |
| Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM. |
| A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system. |
| Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM. |
| A cross-site request forgery vulnerability in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers to have Jenkins evaluate a computationally expensive regular expression. |
| A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials. |
| A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents. |
| Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents. |
| A cross-site request forgery vulnerability in Jenkins Google Compute Engine Plugin 4.1.1 and earlier in ComputeEngineCloud#doProvision could be used to provision new agents. |
| Jenkins QMetry for JIRA - Test Management Plugin 1.12 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts. |
| LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php. |
| Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has remote code execution. |
| An issue was discovered in the AbuseFilter extension for MediaWiki. includes/special/SpecialAbuseLog.php allows attackers to obtain sensitive information, such as deleted/suppressed usernames and summaries, from AbuseLog revision data. This affects REL1_32 and REL1_33. |
| ESET Cyber Security 6.7.900.0 for macOS allows a local attacker to execute unauthorized commands as root by abusing an undocumented feature in scheduled tasks. |
