PT-2026-4088

Name of the Vulnerable Software and Affected Versions Casey Bisson wpCAS versions through 1.07 Description The software contains a flaw due to improper neutralization of input during web page generation, leading to a Reflected Cross-Site Scripting XSS condition. This allows for the injection of...

CVE-2018-1000188

A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL...

EUVD-2023-1559

Malicious code in bioql PyPI...

EUVD-2022-2055

Malicious code in bioql PyPI...

EUVD-2022-3729

Malicious code in bioql PyPI...

CVE-2023-32997

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login...

CVE-2021-21673

Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks...

CVE-2018-9411

In decrypt of ClearKeyCasPlugin.cpp there is a possible out-of-bounds write due to a missing bounds check. This could lead to remote arbitrary code execution with no additional execution privileges needed. User interaction is needed for exploitation...

CAS <= 1.0.0 - Unauthenticated SSRF

Description The plugin does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack PoC https://example.com/wp-content/themes/cas/download.php?path=http://127.0.0.1:8080...

Session Fixation

CAS Plugin is vulnerable to Session Fixation. The vulnerability exists due to not invalidating the existing session on login which allows an attacker to gain administrator access and perform unauthorized actions...

GHSA-HJH8-9GXH-CX4X Jenkins CAS Plugin Session Fixation vulnerability

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. CAS Plugin 1.6.3 invalidates the existing session on login...

Jenkins CAS Plugin Session Fixation vulnerability

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. CAS Plugin 1.6.3 invalidates the existing session on login...

CVE-2023-32997

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login...

CVE-2023-32997

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login...

Design/Logic Flaw

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login...

CVE-2023-32997

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login...

CVE-2023-32997

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login...

CVE-2023-32997

The CVE-2023-32997 entry concerns the Jenkins CAS Plugin (versions 1.6.2 and earlier) that does not invalidate the existing session on login, enabling a session fixation risk. Multiple connected sources corroborate this behavior and describe it as allowing an attacker to potentially gain administ...

PT-2023-24128 · Jenkins · Jenkins Cas Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins CAS Plugin versions 1.6.2 and earlier Description: The issue allows attackers to use social engineering techniques to gain administrator access to Jenkins because the previous session is not invalidated on login. Recommendations: For...

GHSA-2VVR-5757-QP87 Open redirect vulnerability in Jenkins CAS Plugin

Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. Jenkins...