Mail.ru: The auth token does not expire on logging out and even after logging out all sessions

API token for web.icq.com was not expired after user logout...

GitLab: Stored XSS on Files overview by abusing git submodule URL

Vulnerability description There's a stored Cross-Site Scripting XSS vulnerability in the Files overview of a project due to the incorrect handling of a git submodule. This allows an attacker to execute JavaScript in a visitor's session. Proof of concept To reproduce the issue, the attacker needs ...

Nagios XI 5.2.7 - Multiple Vulnerabilities

, , . '.' '. ', . , '. , .', , / / / \ \ ==/ /\ \ / / \ / \ / / | \ \ Y Y \ / /| / \ /||| / / /.-. / /:wq x.0 '=.|w|.=' =''"''=. presents.. Nagios XI Multiple Vulnerabilities Affected versions: Nagios XI = 5.2.7 PDF:...

Nagios XI 5.2.7 Code Execution / SQL Injection / Privilege Escalation

, , . '.' '. ', . , '. , .', , / / / \ \ ==/ /\ \ / / \ / \ / / | \ \ Y Y \ / /| / \ /||| / / /.-. / /:wq x.0 '=.|w|.=' =''"''=. presents.. Nagios XI Multiple Vulnerabilities Affected versions: Nagios XI = 5.2.7 PDF:...

GitLab: Persistent XSS on public wiki pages

Details There's a persistent cross-site scripting XSS vulnerability in the wiki pages. This can lead to an account take over via the leaked API token. Proof of concept As an attacker, create a new public repository. Make sure you have a client that is allowed to push to that repository. For this...

jenkins: Non-constant time comparison of API token (SECURITY-241)

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach...

GitLab: Persistent XSS on public project page

Details A project admin can set up a custom issue tracker integration. This setting misses a check to make sure that it's a real URL and, thus, can use the javascript handler to execute arbitrary Javascript. Browsers use this handler to execute inline Javascript. This can lead to an account take...

CVE-2016-0790

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach...

CVE-2016-0790

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach...

Code injection

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach...

CVE-2016-0790

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach...

CVE-2016-0790

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach...

FreeBSD : jenkins -- multiple vulnerabilities (7e01df39-db7e-11e5-b937-00e0814cab4e)

Jenkins Security Advisory : DescriptionSECURITY-232 / CVE-2016-0788Remote code execution vulnerability in remoting module A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description SECURITY-232 / CVE-2016-0788Remote code execution vulnerability in remoting module A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed...

Design/Logic Flaw

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user...

CloudBees Jenkins CI and LTS API token-issuing service vulnerability

CloudBees Jenkins CI formerly known as Hudson Labs is a set of Java-based continuous integration tools from CloudBees, Inc. LTS Long-Term Support is a long-supported version of CloudBees Jenkins CI. A security vulnerability exists in the API token-issuing service in CloudBees Jenkins CI versions...

CVE-2015-1814

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users...

CVE-2015-1814

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users...

Code injection

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users...

CVE-2015-1814

CVE-2015-1814 affects Jenkins Core/API token-issuing service. The vulnerability allows remote privilege escalation via the forced API token change, occurring due to insufficient protection for anonymous users. Affected versions are Jenkins before 1.606 and LTS before 1.596.2. The issue is mitigat...