GHSA-H5FH-7HWR-97MW Kimai has an arbitrary file read in its invoice PDF renderer (admin)

Summary Users with the role System-Admin ROLESYSTEADMIN and the permission uploadinvoicetemplate can upload PDF invoice templates, which can call pdfContext.setOption'associatedfiles', ... inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles, whose writer calls...

CVE-2025-8141

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteassociatedfiles function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary fil...

CVE-2025-8289

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the deleteassociatedfiles function. This makes it possible for unauthenticated attackers to inject a PHP Object. This...

GHSA-CHCG-GH9P-96C5 Jenkins Associated Files Plugin vulnerable to cross-site scripting (XSS)

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Currently, there are no known workarounds or patches...

Jenkins Associated Files Plugin vulnerable to cross-site scripting (XSS)

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Currently, there are no known workarounds or patches...

CVE-2022-45401

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

CVE-2022-45401

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

Cross site scripting

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

CVE-2022-45401

CVE-2022-45401 affects Jenkins Associated Files Plugin (versions 0.2.1 and earlier). The flaw is a stored XSS due to the plugin not escaping the names of associated files, enabling an attacker with Item/Configure permission to exploit it. The public documents confirm the vulnerability exists but ...

PT-2022-27503 · Jenkins · Jenkins Associated Files Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Associated Files Plugin versions 0.2.1 and earlier Description: The issue is related to a stored cross-site scripting XSS vulnerability. This occurs because the plugin does not properly escape the names of associated files. Attackers...

CVE-2022-45401

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

CVE-2022-45401

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

Jenkins Plugin Associated Files 跨站脚本漏洞

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A cross-site scripting...