545 matches found
CVE-2025-31727
Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
CVE-2025-31725
CVE-2025-31725 affects the Jenkins monitor-remote-job Plugin (version 1.0). The issue is that passwords are stored in plaintext in job config.xml files on the Jenkins controller, and can be viewed by users with Extended Read permission or with access to the controller filesystem. The existing con...
CVE-2025-31724
Jenkins Cadence vManager Plugin 4.0.0-282.v5096ac2db275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
PT-2025-14514 · Jenkins · Jenkins Cadence Vmanager Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Cadence vManager Plugin versions 4.0.0-282.v5096a c2db 275 and earlier Description: The issue concerns the storage of Verisium Manager vAPI keys in an unencrypted form within job config.xml files on the Jenkins controller. These keys...
PT-2025-14517 · Jenkins · Jenkins Asakusasatellite Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins AsakusaSatellite Plugin versions 0.1.1 and earlier Description: The issue concerns the storage of AsakusaSatellite API keys in an unencrypted manner within job config.xml files on the Jenkins controller. This allows users with...
Jenkins plugins Multiple Vulnerabilities (2025-04-02)
According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attacke...
Tenable Identity Exposure 安全漏洞
Tenable Identity Exposure is a fast, agentless solution from Tenable, Inc. It can detect and block attacks, eliminate attack paths, and provide risk-based guidance on vulnerability management and remediation. A security vulnerability exists in Tenable Identity Exposure versions prior to 3.77.9,...
BIT-SOLR-2025-24814 Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files
Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that 1 use the "FileSystemConfigSetService" component the default in "standalone" or "user-managed" mode, and 2 are running without authentication and authorization are vulnerable to a sort...
CVE-2025-24814
A flaw was found in Apache Solr. Solr instances that use the "FileSystemConfigSetService" component, the default in "standalone" or "user-managed" mode, and are running without authentication and authorization are vulnerable to a privilege escalation wherein individual "trusted" config set files...
CVE-2021-26102
A relative path traversal vulnerability CWE-23 in FortiWAN version 4.5.7 and below, 4.4 all versions may allow a remote non-authenticated attacker to delete files on the system by sending a crafted POST request. In particular, deleting specific configuration files will reset the Admin password to...
DEBIAN-CVE-2024-52792
LDAP Account Manager LAM is a php webfrontend for managing entries e.g. users, groups, DHCP settings stored in an LDAP directory. In affected versions LAM does not properly sanitize configuration values, that are set via mainmanage.php and confmain.php. This allows setting arbitrary config values...
PT-2024-35444 · Unknown +1 · Ldap Account Manager +1
Name of the Vulnerable Software and Affected Versions: LDAP Account Manager LAM versions prior to 9.0 Description: LDAP Account Manager LAM is a php webfrontend for managing entries stored in an LDAP directory. In affected versions, LAM does not properly sanitize configuration values set via...
CVE-2023-0163 Prototype Pollution in convict
Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a...
Deserialization of Untrusted Data
Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the handling of configuration files. This is only exploitable if the target visits a malicious page or opens a...
CVE-2024-29211
A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files...
PT-2024-39080 · Ivanti · Ivanti Secure Access Client
Name of the Vulnerable Software and Affected Versions: Ivanti Secure Access Client versions prior to 22.7R3 Description: The issue concerns improper authorization, allowing a local authenticated attacker to modify sensitive configuration files. Recommendations: For versions prior to 22.7R3, updat...
PT-2024-8645 · Ivanti · Ivanti Secure Access Client
Name of the Vulnerable Software and Affected Versions: Ivanti Secure Access Client versions prior to 22.7R4 Description: A race condition in Ivanti Secure Access Client allows a local authenticated attacker to modify sensitive configuration files. This issue is related to synchronization errors...
CVE-2024-20441
A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to learn sensitive information on an affected device. This vulnerability is due to insufficient authorization controls on the affected REST API endpoint. An attacker could...
PT-2024-8625 · Cisco · Cisco Ndfc
Name of the Vulnerable Software and Affected Versions: Cisco NDFC affected versions not specified Description: A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to learn sensitive information on an affected device. This iss...
CVE-2024-8453
Certain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers with administrator privileges can read configuration files to obtain the hash values, and potentially crack them to retrieve the plaintext passwords...