GHSA-88QJ-3Q6H-8M5Q Jenkins Build Environment Plugin vulnerable to Cross-site Scripting

Build Environment Plugin did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission. Jenkins...

GHSA-5R6P-P9R6-R326 Improper Encoding or Escaping of Output in Jenkins Configuration as Code Plugin

Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables...

Improper Encoding or Escaping of Output in Jenkins Configuration as Code Plugin

Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables...

GHSA-HR96-QFVM-52R6 Maven Integration Plugin did not mask sensitive values in module build logs

Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log...

Storing Passwords in a Recoverable Format

Overview org.jenkins-ci.plugins:credentials-binding is a plugin that allows credentials to be bound to environment variables for use from miscellaneous build steps. Affected versions of this package are vulnerable to Storing Passwords in a Recoverable Format via the config-variables.jelly file,...

GSD-2022-1002521 backdoor in ctx version 0.1.2-1, 0.1.2-2, 0.1.4, 0.2, 0.2.1, 0.2.2, 0.2.2.1, 0.2.3, 0.2.4, 0.2.5, 0.2.6

In PyPI ctx version 0.1.2-1, 0.1.2-2, 0.1.4, 0.2, 0.2.1, 0.2.2, 0.2.2.1, 0.2.3, 0.2.4, 0.2.5, 0.2.6 a backdoor exists in the ctx package that can be attacked via a malicious package update resulting in credential theft from environment variables...

Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem. One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package...

Tetanus - Mythic C2 Agent Targeting Linux And Windows Hosts Written In Rust

Tetanus is a Windows and Linux C2 agent written in rust. Installation To install Tetanus, you will need Mythic set up on a machine. In the Mythic root directory, use mythic-cli to install the agent. payload start tetanus" sudo ./mythic-cli install github https://github.com/MythicAgents/tetanus su...

Mozilla: Leaking browser history with CSS variables

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of Firefox behaving slightly differently for already known resources when loading CSS resources involving CSS variables. This flaw could probe the browser history...

Mozilla: Leaking browser history with CSS variables

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of Firefox behaving slightly differently for already known resources when loading CSS resources involving CSS variables. This flaw could probe the browser history...

HTTP Parameter Pollution

An HTTP Parameter Pollution HTTP exploits the possibility of including several parameters with the same name in an HTTP request or by including a new encoded parameter. Depending on the web server, its parameters will be parsed in a different way i.e. parsing only the first/last occurrence of the...

ROS-20220518-02

A vulnerability in Mozilla Thunderbird email client is related to incorrect processing of user input data when processing signed and encrypted attached messages. user input when processing signed and encrypted attached messages. Exploitation exploitation of the vulnerability could allow a remote...

phpMyAdmin Global variables scope injection vulnerability

import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request...

PT-2022-18018 · Apple · Apple Macos

Name of the Vulnerable Software and Affected Versions: macOS versions prior to 12.4 Description: The issue concerns the handling of environment variables, which has been addressed with improved validation. A user may be able to view sensitive user information due to this issue. Recommendations: F...

Jenkins allows Remote Users to Inject Build Parameters

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables...

GHSA-QF2H-H3XQ-J93J Jenkins allows Remote Users to Inject Build Parameters

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables...

GHSA-3W22-WRWX-2R75 Typo3 XSS Vulnerability

The page module in TYPO3 before 8.7.11 has XSS via $GLOBALS'TYPO3CONFVARS''SYS''sitename', as demonstrated by an admin entering a crafted site name during the installation process...

GHSA-644J-JCC4-CRX7 Jenkins AWS CodeDeploy Plugin has Insufficiently Protected Credentials

Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to have been fixed in 1.20 and later...

Jenkins Credentials Binding Plugin has Insufficiently Protected Credentials

Jenkins Credentials Binding plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. However, since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can...

GHSA-38XM-XHVJ-Q2QF Jenkins Credentials Binding Plugin has Insufficiently Protected Credentials

Jenkins Credentials Binding plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. However, since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can...