CVE-2025-64146

Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system...

CVE-2025-64147

Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them...

CVE-2025-64146

Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system...

CVE-2025-64147

Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them...

CVE-2025-64147

CVE-2025-64147 affects the Jenkins Curseforge Publisher Plugin (version 1.0). The vulnerability is that API Keys are displayed unmasked on the job configuration form and stored unencrypted in config files, enabling users with sufficient permissions to observe/capture credentials. Public documents...

CVE-2025-64146

Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system...

CVE-2025-64146

Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system...

CVE-2025-64146

CVE-2025-64146 affects the Jenkins Curseforge Publisher Plugin (version 1.0) and older, where API keys are stored unencrypted in job config.xml on the Jenkins controller. This configuration data can be viewed by users with Item/Extended Read permission or by anyone with access to the Jenkins cont...

Jenkins Curseforge Publisher Plugin 安全漏洞

Jenkins Curseforge Publisher Plugin is an automated publishing plugin for Jenkins open source. A security vulnerability exists in version 1.0 of the Jenkins Curseforge Publisher Plugin that stems from unencrypted storage of API keys, which could lead to a user viewing the keys via Item or Extende...

PT-2025-44295

Name of the Vulnerable Software and Affected Versions Jenkins Curseforge Publisher Plugin version 1.0 Description The Jenkins Curseforge Publisher Plugin version 1.0 stores API Keys unencrypted in config.xml files on the Jenkins controller. These files are accessible to users with Item/Extended...

PT-2025-44296

Name of the Vulnerable Software and Affected Versions Jenkins Curseforge Publisher Plugin version 1.0 Description The Jenkins Curseforge Publisher Plugin version 1.0 does not mask API Keys displayed on the job configuration form. This increases the potential for attackers to observe and capture...

CVE-2025-11879

The GenerateBlocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getoptionrest' function in all versions up to, and including, 2.1.1. This makes it possible for authenticated attackers, with contributor level access and above, to read...

Evaluating Large Language Models in Detecting Secrets in Android Apps

Mobile apps often embed authentication secrets, such as API keys, tokens, and client IDs, to integrate with cloud services. However, developers often hardcode these credentials into Android apps, exposing them to extraction through reverse engineering. Once compromised, adversaries can exploit...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via the IsValidWebAuthRedirectURL function. An attacker can obtain sensitive information such as Cloud API keys and OAuth client secrets by analyzing response times during authentication attempts. Remediation Upgrade...

EUVD-2025-34730

Mattermost has an Observable Timing Discrepancy vulnerability...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via the IsValidWebAuthRedirectURL function. An attacker can obtain sensitive information such as Cloud API keys and OAuth client secrets by analyzing response times during authentication attempts. Remediation Upgrade...

Mattermost has an Observable Timing Discrepancy vulnerability

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

CVE-2025-54499

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

CVE-2025-54499 Insecure string comparison enables timing attacks

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

CVE-2025-54499 Insecure string comparison enables timing attacks

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...