In VeAssetDepositor constructor if deployer set wrong value for maxTime or if maxTime in veAsset project changes then funds can be locked in VeAssetDepositor and contract will be in broken state

Lines of code Vulnerability details Impact Contract VeAssetDepositor locks funds in veAsset Project for maxTime. veAsset project has his own maxTime and users can lock tokens bigger than that amount if they try to that the transaction will fail. in VeAssetDepositor's constructor the deployer set...

org.craftercms:crafter-deployer (=3.0.0), org.craftercms:crafter-engine (=3.0.0) +1 more potentially affected by CVE-2017-15682 via org.craftercms:crafter-core (=3.0.0)

org.craftercms:crafter-core MAVEN version =3.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.craftercms:crafter-core and may be impacted: - org.craftercms:crafter-deployer =3.0.0 - org.craftercms:crafter-engine =3.0.0 -...

org.craftercms:crafter-deployer (=3.0.0), org.craftercms:crafter-engine (=3.0.0) +1 more potentially affected by CVE-2017-15683 via org.craftercms:crafter-core (=3.0.0)

org.craftercms:crafter-core MAVEN version =3.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.craftercms:crafter-core and may be impacted: - org.craftercms:crafter-deployer =3.0.0 - org.craftercms:crafter-engine =3.0.0 -...

org.craftercms:crafter-deployer (=3.0.0), org.craftercms:crafter-engine (=3.0.0) +1 more potentially affected by CVE-2017-15680 via org.craftercms:crafter-core (=3.0.0)

org.craftercms:crafter-core MAVEN version =3.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.craftercms:crafter-core and may be impacted: - org.craftercms:crafter-deployer =3.0.0 - org.craftercms:crafter-engine =3.0.0 -...

Stored XSS vulnerability in Jenkins Deployer Framework Plugin

Deployer Framework Plugin is a framework plugin allowing other plugins to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting XSS vulnerability exploitable by users abl...

org.jenkins-ci.plugins:cloudbees-deployer-plugin (=6.0) potentially affected by CVE-2020-2227 via org.jenkins-ci.plugins:deployer-framework (=1.0)

org.jenkins-ci.plugins:deployer-framework MAVEN version =1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.jenkins-ci.plugins:deployer-framework and may be impacted: - org.jenkins-ci.plugins:cloudbees-deployer-plugin =6.0 Source cves: CVE-2020-22...

GHSA-CFVW-84VQ-43MX Stored XSS vulnerability in Jenkins Deployer Framework Plugin

Deployer Framework Plugin is a framework plugin allowing other plugins to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting XSS vulnerability exploitable by users abl...

GHSA-2RRX-Q65F-8945 Credentials transmitted in plain text by OpenShift Deployer Plugin

OpenShift Deployer Plugin stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the...

Credentials transmitted in plain text by OpenShift Deployer Plugin

OpenShift Deployer Plugin stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the...

GHSA-F5WX-W2F9-82GH XXE vulnerability in Jenkins WebSphere Deployer Plugin

WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin...

Cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin

A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system...

GHSA-C3WF-RRHQ-RFP2 Cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin

A cross-site request forgery vulnerability in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system...

GHSA-46RR-87H4-F5Q6 SSL/TLS certificate validation globally and unconditionally disabled by Jenkins WebSphere Deployer Plugin

Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM...

Jenkins WebSphere Deployer Plugin missing permission check

Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, determine whether files with an attacker-specified path exist on the Jenkins controller file system...

Jenkins CRX Content Package Deployer Plugin subject to credentials enumeration via Missing Authorization

A missing permission check in Jenkins CRX Content Package Deployer Plugin prior to version 1.9 in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. This issue is patched in version 1.9...

GHSA-4CMQ-88F8-53R5 Jenkins CRX Content Package Deployer Plugin subject to credentials enumeration via Missing Authorization

A missing permission check in Jenkins CRX Content Package Deployer Plugin prior to version 1.9 in various 'doFillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. This issue is patched in version 1.9...

Jenkins CRX Content Package Deployer Plugin subject to Missing Authorization

A missing permission check in Jenkins CRX Content Package Deployer Plugin prior to version 1.9 allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

Wildfly Authorization Misconfiguration

A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server...

GHSA-82V2-F875-73G9 Wildfly Authorization Misconfiguration

A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server...

com.github.almex:weblets-demo (=1.1.3), org.apache.geronimo.assemblies:geronimo-jetty8-javaee6 (=3.0-M1) +18 more potentially affected by CVE-2010-2057 via org.apache.myfaces.core:myfaces-impl (=2.0.0)

org.apache.myfaces.core:myfaces-impl MAVEN version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.myfaces.core:myfaces-impl and may be impacted: - com.github.almex:weblets-demo =1.1.3 -...