CVE-2024-6163

Certain http endpoints of Checkmk in Checkmk 2.3.0p10 2.2.0p31, 2.1.0p46, = 2.0.0p39 allows remote attacker to bypass authentication and access data...

GHSA-4F92-W438-F484 CraftBeerPi 4 allows arbitrary code execution

URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/httpendpoints/httpsystem.py" is subsequently passed to the "os.system" function in "cbpi/controller/systemcontroller.py" without prior validation allowing arbitrary code execution. This issue affects CraftBeerPi 4:...

CVE-2024-3955 Arbitrary code execution in CraftBeerPi 4

URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/httpendpoints/httpsystem.py" is subsequently passed to the "os.system" function in "cbpi/controller/systemcontroller.py" without prior validation allowing to execute arbitrary code.This issue affects CraftBeerPi 4:...

PT-2024-4893 · Oracle · Oracle E-Business Suite +1

Name of the Vulnerable Software and Affected Versions: Oracle Complex Maintenance, Repair, and Overhaul versions 12.2.3 through 12.2.13 Description: The issue exists due to insufficient input validation in the LOV component of the Oracle Complex Maintenance, Repair, and Overhaul product, part of...

Cross site scripting

NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also write access using...

CVE-2023-49785 NextChat vulnerable to Server-Side Request Forgery and Cross-site Scripting

NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also write access using...

GHSA-XXV9-W5HM-328J Jenkins AppSpider Plugin missing permission checks

Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names...

CVE-2024-28155

Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names...

Design/Logic Flaw

Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names...

CVE-2024-28155

CVE-2024-28155 affects Jenkins AppSpider Plugin versions 1.0.16 and earlier. The issue is a lack of permission checks across several HTTP endpoints, which allows attackers with Overall/Read permission to access information about available scan config names, engine group names, and client names. T...

Missing permission check in Jenkins PaaSLane Estimate Plugin

PaaSLane Estimate Plugin 1.0.4 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token...

GHSA-PGPJ-83G3-MFR2 Jenkins Google Compute Engine Plugin has incorrect permission checks

Jenkins Google Compute Engine Plugin 4.550.vb327fca3db11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to do the following: - Enumerate...

Jenkins Google Compute Engine Plugin has incorrect permission checks

Jenkins Google Compute Engine Plugin 4.550.vb327fca3db11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to do the following: - Enumerate...

GHSA-9F5G-RGCR-8GRW Jenkins MATLAB Plugin cross-site request forgery vulnerability

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form...

Jenkins MATLAB Plugin missing permission checks

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form...

Jenkins plugins Multiple Vulnerabilities (2023-11-29)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - Medium Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped...

GHSA-3FJV-8R82-6XM9 Jenkins Fortify Plugin cross-site request forgery vulnerability

Jenkins Fortify Plugin 22.1.38 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials store...

Jenkins Fortify Plugin missing permission check

Jenkins Fortify Plugin 22.1.38 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials store...

Jenkins plugins Multiple Vulnerabilities (2023-03-21)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - Medium Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended...

Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials

Qualys Web App Scanning Connector Plugin 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another...