66 matches found
CVE-2019-10335
A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages...
CVE-2019-10333
Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances...
CVE-2019-10332
A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in ConfigurationdoTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials...
CVE-2019-10333
Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances...
CVE-2019-10335
A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages...
CVE-2019-10332
A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in ConfigurationdoTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials...
CVE-2019-10334
Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files...
CVE-2019-10331
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in ConfigurationdoTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials...
CVE-2019-10332
The CVE-2019-10332 entry affects Jenkins ElectricFlow Plugin versions up to 1.1.5 and earlier. The underlying issue is a missing permission check in Configuration#doTestConnection, allowing users with Overall/Read access to initiate a connection to an attacker-specified URL using attacker-specifi...
CVE-2019-10334
Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files...
CVE-2019-10331
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in ConfigurationdoTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials...
CVE-2019-10333
The provided connected documents confirm a vulnerability in Jenkins ElectricFlow Plugin (versions 1.1.5 and earlier) where missing permission checks on HTTP endpoints allowed users with Overall/Read access to retrieve sensitive information about the plugin configuration and connected ElectricFlow...
CVE-2019-10336
CVE-2019-10336 describes a reflected cross-site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier. The issue arises when an attacker can influence the output of the ElectricFlow API, enabling injection of arbitrary HTML and JavaScript into job configuration forms that inclu...
CVE-2019-10334
CVE-2019-10334 affects Jenkins ElectricFlow Plugin versions 1.1.5 and earlier. The vulnerability arises because MultipartUtility.java uploads can cause the plugin to disable SSL/TLS and hostname verification globally for the Jenkins master JVM, exposing connections to untrusted servers. Impact is...
CVE-2019-10335
CVE-2019-10335 affects Jenkins ElectricFlow Plugin (1.1.5 and earlier). The stored XSS arises from lack of proper escaping of user content in build-status outputs, allowing attackers with Job/Configure permissions or those controlling ElectricFlow API responses to inject arbitrary HTML/JavaScript...
CVE-2019-10332
A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in ConfigurationdoTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials...
CVE-2019-10333
Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances...
CVE-2019-10331
CVE-2019-10331 affects Jenkins ElectricFlow Plugin 1.1.5 and earlier. The vulnerability stems from a missing permission check in a form validation method (Configuration#doTestConnection), enabling CSRF to trigger a connection test to an attacker-specified URL using attacker-specified credentials....
CVE-2019-10336
A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this plugin...
CVE-2019-10335
A stored cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier allowed attackers able to configure jobs in Jenkins or control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages...