GHSA-5WXR-W449-57CM Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions

Impact This affects only workflows that pin an exact affected Composer semver version through setup-php, for example tools: composer:2.9.7. Workflows using the default Composer version, composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have...

PT-2026-41129

Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...

EUVD-2022-3138

Malicious code in bioql PyPI...

EUVD-2022-4543

Malicious code in bioql PyPI...

EUVD-2022-4779

Malicious code in bioql PyPI...

CVE-2019-10315

Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF...

CVE-2019-1003019

An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session...

CVE-2019-1003018

An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser e.g. malicious extension to retrieve the...

CVE-2024-27918 Coder's OIDC authentication allows email with partially matching domain to register

Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODEROIDCEMAILDOMAIN verification and create an account with an email not in the...

Coder's OIDC authentication allows email with partially matching domain to register

Summary A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODEROIDCEMAILDOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider such as publi...

Exploit for Cross-Site Request Forgery (CSRF) in Jetbrains Teamcity

CVE-2022-24342 JetBrains TeamCity - account takeover via CSRF...

Jenkins GitHub Authentication Plugin Cross-Site Request Forgery vulnerability

Jenkins GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins...

CVE-2019-10315

CVE-2019-10315 : Jenkins GitHub Authentication Plugin versions 0.31 and earlier did not validate the OAuth state parameter, enabling CSRF exposure. Exploitation could allow an attacker to capture the OAuth redirect URL and, if the victim is already authenticated in Jenkins, attach the victim’s Je...

CloudBees Jenkins GitHub Authentication Plugin Session Fixation Vulnerability

CloudBees Jenkins Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools. The product is mainly used to monitor the continuous software version release/testing project and some timed tasks . GitHub Authentication Plugin is used in which ...

CVE-2019-1003019

An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session...

CVE-2019-1003018

An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser e.g. malicious extension to retrieve the...

CVE-2019-1003018

An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser e.g. malicious extension to retrieve the...

CVE-2019-1003019

Summary: CVE-2019-1003019 affects the Jenkins GitHub Authentication Plugin (versions ≤ 0.29). The vulnerability lies in GithubSecurityRealm.java, enabling an attacker who can control the pre-authentication session to impersonate another user (session fixation). Affected software: Jenkins GitHub A...