CVE-2023-30611 Reaction metadata exposed in private topics in Discourse-reactions

Discourse-reactions is a plugin that allows user to add their reactions to the post in the Discourse messaging platform. In affected versions data about what reactions were performed on a post in a private topic could be leaked. This issue has been addressed in version 0.3. Users are advised to...

SUSE CVE-2021-32719

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI via the rabbitmqfederationmanagement plugin, its consumer tag was rendered without proper tag sanitization. This potentially allows for...

PT-2023-19592 · Macstadium +1 · Jenkins Orka By Macstadium Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Orka by MacStadium Plugin versions 1.31 and earlier Description: A cross-site request forgery CSRF issue allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs, potentially capturing...

PT-2023-14267 · WordPress · Wp Rss By Publishers

Name of the Vulnerable Software and Affected Versions: WP RSS By Publishers WordPress plugin version 0.1 Description: The issue is related to a SQL injection that occurs because a parameter is not properly sanitized and escaped before being used in a SQL statement. This can be exploited by high...

PT-2022-26917 · Jenkins · Jenkins Screenrecorder Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins ScreenRecorder Plugin versions 0.7 and earlier Description: The issue concerns the Jenkins ScreenRecorder Plugin, which programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived...

PT-2022-26918 · Jenkins · Jenkins Neuvector Vulnerability Scanner Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins NeuVector Vulnerability Scanner Plugin versions 1.20 and earlier Description: The issue allows cross-site scripting XSS attacks by users with the ability to control files in workspaces, archived artifacts, etc. This is because the...

PT-2022-26910 · Jenkins · Jenkins S3 Explorer Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins S3 Explorer Plugin versions 1.0.8 and earlier Description: The issue concerns the Jenkins S3 Explorer Plugin, where the AWS SECRET ACCESS KEY form field is not masked, increasing the potential for attackers to observe and capture it...

PT-2022-25756 · Jenkins · Jenkins Walti Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Walti Plugin versions 1.0.1 and earlier Description: The issue is related to a stored cross-site scripting XSS vulnerability. It occurs because the plugin does not escape the information provided by the Walti API, making it exploitabl...

PT-2022-25764 · Jenkins · Jenkins Scm Httpclient Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins SCM HttpClient Plugin versions 1.5 and earlier Description: A cross-site request forgery CSRF vulnerability allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs, capturing credentia...

PT-2022-19415 · WordPress · Craw Data Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Craw Data WordPress plugin versions through 1.0.0 Description: The issue is related to the lack of nonce checks in the Craw Data WordPress plugin, which could allow attackers to make a logged-in admin change the url value, performing unwanted...

PT-2022-5099 · Jenkins · Jenkins Openshift Deployer Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier Description: A missing permission check in the Jenkins OpenShift Deployer Plugin allows attackers with Overall/Read permission to check for the existence of an attacker-specified fi...

PT-2022-4012 · Jenkins · Jenkins Openstack Heat Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Openstack Heat Plugin versions 1.5 and earlier Description: The issue is related to insufficient authorization procedures in the Jenkins Openstack Heat Plugin, allowing a remote attacker to perform URL redirection. A missing permissio...

PT-2022-4025 · Jenkins · Jenkins Openshift Deployer Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier Description: The issue is related to a missing permission check in the plugin, which can be exploited by attackers with Overall/Read permission to connect to an attacker-specified U...

PT-2022-4024 · Jenkins · Jenkins Coverity Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Coverity Plugin versions 1.11.4 and earlier Description: A cross-site request forgery CSRF issue allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs, potentially capturing credentials stor...

PT-2022-18858 · Jenkins · Jenkins Tests Selector Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Tests Selector Plugin versions 1.3.3 and earlier Description: The issue results in a stored cross-site scripting XSS vulnerability. This occurs because the Properties File Path option for Choosing Tests parameters is not properly...

PT-2022-17133 · Jenkins · Jenkins Snow Commander Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Snow Commander Plugin versions 1.10 and earlier Description: The issue concerns missing permission checks in the Jenkins Snow Commander Plugin, allowing attackers with Overall/Read permission to connect to a specified webserver using...

PT-2022-17145 · Jenkins · Jenkins Dbcharts Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins dbCharts Plugin versions 0.5.2 and earlier Description: A missing check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials...

CVE-2021-37631

Deck is an open source kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions the Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access t...

CVE-2021-32752

Ether Logs is a package that allows one to check one's logs in the Craft 3 utilities section. A vulnerability was found in versions prior to 3.0.4 that allowed authenticated admin users to access any file on the server. The vulnerability has been fixed in version 3.0.4. As a workaround, one may...

PT-2021-3849 · Phplist · Phplist

Name of the Vulnerable Software and Affected Versions: phplist version 3.5.1 Description: The issue is related to a lack of restrictions on file uploads in the phplist application, which can be exploited by uploading a malicious plugin containing PHP files with certain extensions, such as PHP,...