63 matches found
Cross site scripting
Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control or modify Contrast service API responses...
GHSA-J8XR-2279-88QJ Jenkins RQM Plugin vulnerable to Improper Restriction of XML External Entity Reference
Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of...
Jenkins RQM Plugin vulnerable to Improper Restriction of XML External Entity Reference
Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of...
CVE-2022-41240
Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide malicious API responses from Walti...
PT-2022-25757 · Jenkins · Jenkins Rqm Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins RQM Plugin versions 2.8 and earlier Description: The issue is related to the XML parser not being configured to prevent XML external entity XXE attacks. This allows attackers to provide crafted API responses that can be used to extrac...
Information disclosure in settings UI and API responses - ownCloud
The settings page and some API responses of a few ownCloud apps contained plaintext credentials...
GHSA-2QRR-C2GH-PR35 Wikimedia information leak vulnerability
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...
GHSA-MM33-5VFQ-3MM3 Cross-site Scripting Vulnerability in Action Pack
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577. Versions Affected: = 5.2.0 Not affected: 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 Impact CSP headers were only sent along with responses that Rails...
GitLab: XSS in ZenTao integration affecting self hosted instances without strict CSP
Summary The ZenTao issue integration premium feature is susceptible to an XSS attack by delivering modified API responses to GitLab. This is related and similar to my report https://hackerone.com/reports/1533976 but this time affecting the ZenTao integration. A user can create a project and...
Socid-Extractor - Extract Accounts Info From Personal Pages On Various Sites For OSINT Purpose
Extract information about a user from profile webpages / API responses and save it in machine-readable format. Usage As a command-line tool: $ socidextractor --url https://www.deviantart.com/muse1908 country: France createdat: 2005-06-16 18:17:41 gender: female username: Muse1908 website:...
Cross site scripting
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's...
UBUNTU-CVE-2021-22261
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's...
CVE-2021-22261
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's...
CVE-2021-22261
Removed by vendor...
Unspecified Vulnerability in Nextcloud (CNVD-2021-51810)
Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A security vulnerability exists in Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3, which stems from the fact that rate limiting in Nextcloud...
Authentication flaw
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller OCSController using the @BruteForceProtection annotation. Risk depends on the installed...
The vulnerability of the Gem::GemcutterUtilities module in the RubyGems package management system, which relates to the issue of printing API responses into the standard output stream, allows a attacker to compromise data integrity.
The vulnerability of the Gem::GemcutterUtilities module in the RubyGems package management system relates to the way that API responses are printed into the standard output stream. Exploiting this vulnerability could allow a malicious actor to compromise data integrity by using a specially crafte...
Product update: Virtuozzo PowerPanel Update 1 Hotfix 1 (7.0.4-39)
The update for Virtuozzo PowerPanel introduces stability and usability fixes. Vulnerability id: PP-643 Attach and detach backup tasks missing or undefined in the task log. Vulnerability id: PP-642 The 'vzapi-api' package not updated on the controller when upgrading PowerPanel. Vulnerability id:...
Design/Logic Flaw
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...
API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly
More info at https://phabricator.wikimedia.org/T212118...