1405 matches found
PT-2022-5038 · Hitachi Energy · Microscada X Sys600
Name of the Vulnerable Software and Affected Versions: Hitachi Energy MicroSCADA X SYS600 versions 10 through 10.3.1 Description: The issue is caused by improper input validation in a specific configuration file, leading to a buffer-overflow. This can cause the SYS600 to fail to start. The...
DEBIAN-CVE-2022-29162
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where runc exec --cap created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling...
CVE-2022-28652
/.config/apport/settings parsing is vulnerable to "billion laughs" attack...
Stored XSS vulnerability in Config File Provider Plugin
A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins...
GHSA-VWFM-42Q6-QJ75 Stored XSS vulnerability in Config File Provider Plugin
A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins...
CSRF vulnerability in Config File Provider Plugin
A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions...
GHSA-R5M8-5MWX-CMJ8 CSRF vulnerability in Config File Provider Plugin
A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions...
Improper Privilege Management in Jenkins Config File Provider Plugin
The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient...
GHSA-6H72-M3XW-FP3C Improper Privilege Management in Jenkins Config File Provider Plugin
The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient...
Jenkins Config File Provider Plugin XSS vulnerability
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete t...
GHSA-PMC5-74W3-78MW Jenkins Config File Provider Plugin XSS vulnerability
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete t...
GHSA-WMQ3-24JM-M8XH Jenkins Assembla Auth Plugin stores credentials in plain text
Jenkins Assembla Auth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system...
GHSA-2RVF-329F-P99G System Property Disclosure in Apache Tomcat
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for...
Mattermost Licensing Issue Vulnerability
Mattermost is an open source collaboration platform from Mattermost, Inc. An authorization issue vulnerability exists in Mattermost 6.4.1 and earlier versions, which stems from an API that fails to properly protect permissions and can be exploited by an authenticated attacker to bypass restrictio...
CVE-2022-25165
An issue was discovered in Amazon AWS VPN Client 2.0.0. A TOCTOU race condition exists during the validation of VPN configuration files. This allows parameters outside of the AWS VPN Client allow list to be injected into the configuration file prior to the AWS VPN Client service running as SYSTEM...
CVE-2021-43741
CMSimple 5.4 is vulnerable to Directory Traversal. The vulnerability exists when a user changes the file name to malicious file on config.php leading to remote code execution...
CVE-2021-41245
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by privUITransactionFile aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop conf...
Cross site request forgery (csrf)
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by privUITransactionFile aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop conf...
CVE-2021-41245 Possible Cross-Site Request Forgery in Combodo iTop
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by privUITransactionFile aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop conf...
CVE-2022-22986
Netcommunity OG410X and OG810X series Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file...