14 matches found
CVE-2022-31259
The route lookup process in beego before 1.12.9 and 2.x before 2.0.3 allows attackers to bypass access control. When a /p1/p2/:name route is configured, attackers can access it by appending .xml in various places e.g., p1.xml instead of p1...
CVE-2024-56320
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD...
CVE-2020-17457
Fujitsu ServerView Suite iRMC before 9.62F allows XSS. An authenticated attacker can store an XSS payload in the PSCUFILEINIT field of a Save Configuration XML document. The payload is triggered in the HTTP error response pages...
CVE-2024-56320
GoCD before 24.5.0 is vulnerable to admin privilege escalation via improper authorization of the admin “Configuration XML” UI and related API. An authenticated GoCD user with an existing account can access information intended only for admins or elevate privileges to admin, with exploitation requ...
CVE-2024-56320 GoCD vulnerable to admin privilege escalation by a malicious internal/existing authenticated user
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD...
CVE-2024-56320 GoCD vulnerable to admin privilege escalation by a malicious internal/existing authenticated user
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD...
CVE-2024-56320 GoCD vulnerable to admin privilege escalation by a malicious internal/existing authenticated user
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD...
XML External Entity (XXE)
Unstructured is vulnerable to XML External Entity XXE. The vulnerability is due to improper configuration while setting resolveentities=False for parsing XML with lxml in partitionxml, which allows external entities to be processed...
Malicious code in mfp-config-xml (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0f798a6fe7590d0ef3066f87c5397720bbb22a579e8355e0893963a212454df4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
PT-2022-22363 · Jenkins · Jenkins Xpath Configuration Viewer Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins XPath Configuration Viewer Plugin versions 1.1.1 and earlier Description: A missing permission check in the Jenkins XPath Configuration Viewer Plugin allows attackers with Overall/Read permission to access the XPath Configuration View...
Missing permission check in Jenkins Project Inheritance Plugin
Jenkins limits access to job configuration XML data config.xml to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. Project Inheritance Plugin has several job inspection features, including the API URL /job/…/getConfigAsXML for its Inheritance Project job typ...
CVE-2020-17457
Fujitsu ServerView Suite iRMC before 9.62F allows XSS. An authenticated attacker can store an XSS payload in the PSCUFILEINIT field of a Save Configuration XML document. The payload is triggered in the HTTP error response pages...
CVE-2020-17457
Fujitsu ServerView Suite iRMC before 9.62F allows XSS. An authenticated attacker can store an XSS payload in the PSCUFILEINIT field of a Save Configuration XML document. The payload is triggered in the HTTP error response pages...
PT-2020-15411 · Jenkins · Jenkins Project Inheritance Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Project Inheritance Plugin versions 21.04.03 and earlier Jenkins Project Inheritance Plugin version 19.08.02 and earlier Description: The issue allows access to Inheritance Project job configurations in XML format without requiring th...