CVE-2015-1814

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users...

SOL17455 - Multiple Jenkins vulnerabilities

CVE-2015-1806 It was found that the combination filter Groovy script could allow a remote attacker to potentially execute arbitrary code on a Jenkins master. CVE-2015-1807 It was found that when building artifacts, the Jenkins server would follow symbolic links, potentially resulting in disclosur...

FreeBSD : jenkins -- multiple vulnerabilities (22dc4a22-d1e5-11e4-879c-00e0814cab4e)

Jenkins Security Advisory : DescriptionSECURITY-171, SECURITY-177 Reflective XSS vulnerability An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description SECURITY-171, SECURITY-177 Reflective XSS vulnerability An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls...

Jenkins-CI Script-Console Java Execution

This module uses the Jenkins-CI Groovy script console to execute OS commands using Java. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Jenkins-CI Script-Console Java Execution', 'Description'...

CVE-2014-2062

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token...

Design/Logic Flaw

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token...

CVE-2014-2062

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token...

CVE-2014-2062

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token...

CVE-2014-2062

CVE-2014-2062 affects Jenkins before 1.551 and the LTS release before 1.532.2. The vulnerability is that deleting a user does not invalidate their API token, allowing remote authenticated users to retain access via the token. The consolidated data set confirms the affected versions and the token-...

joola.io: Timing Attack Side-Channel on API Token Verification

https://github.com/joola/joola/blob/develop/lib/dispatch/users.jsL514 Because tokens are compared with the === operator, this may be susceptible to timing attacks. More info: http://codahale.com/a-lesson-in-timing-attacks/ This is probably not the lowest hanging fruit for an attacker, but it's...

GetSimple CMS 2.01 and 2.02 Administrative Credentials Disclosure

No description provided by source. Researcher: Michael Brooks Affecting: GetSimple CMS 2.01 and 2.02 Fixed:2.03 Vulnerability: Administrative Credentials Disclosure Vendor's Homepage: http://code.google.com/p/get-simple-cms download url for 2.01: http://www.box.net/get-simple/1/30435008/399754548...

GetSimple CMS 2.01 / 2.02 Credential Disclosure

Researcher: Michael Brooks Affecting: GetSimple CMS 2.01 and 2.02 Fixed:2.03 Vulnerability: Administrative Credentials Disclosure Vendor's Homepage: http://code.google.com/p/get-simple-cms download url for 2.01: http://www.box.net/get-simple/1/30435008/399754548 download svn for 2.02beta: svn...

Getsimple CMS 2.01 2.02 - Administrative Credentials Disclosure

Getsimple CMS 2.01 2.02 - Administrative Credentials Disclosure Researcher: Michael Brooks Affecting: GetSimple CMS 2.01 and 2.02 Fixed:2.03 Vulnerability: Administrative Credentials Disclosure Vendor's Homepage: http://code.google.com/p/get-simple-cms download url for 2.01:...

Getsimple CMS 2.01 < 2.02 - Administrative Credentials Disclosure

Researcher: Michael Brooks Affecting: GetSimple CMS 2.01 and 2.02 Fixed:2.03 Vulnerability: Administrative Credentials Disclosure Vendor's Homepage: http://code.google.com/p/get-simple-cms download url for 2.01: http://www.box.net/get-simple/1/30435008/399754548 download svn for 2.02beta: svn...