CVE-2020-2130

Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system...

CVE-2020-2130

CVE-2020-2130 concerns the Jenkins Harvest SCM Plugin (versions ≤ 0.5.1), where passwords are stored unencrypted in the Jenkins master configuration. The vulnerability, documented across multiple sources (GHSA and OSV/NVD records), states that credentials are kept in plaintext in the global confi...

CVE-2020-2131

The CVE-2020-2131 issue affects Jenkins Harvest SCM Plugin versions 0.5.1 and earlier, where passwords are stored unencrypted in the job config.xml on the Jenkins master. This enables exposure to users with Extended Read permission or anyone with master filesystem access. The connected advisories...

PT-2020-15340 · Jenkins · Jenkins Harvest Scm Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Harvest SCM Plugin versions 0.5.1 and earlier Description: The issue allows passwords to be stored unencrypted in job config.xml files on the Jenkins master. These passwords can be viewed by users with Extended Read permission or thos...

PT-2020-15339 · Jenkins · Jenkins Harvest Scm Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Harvest SCM Plugin versions 0.5.1 and earlier Description: The issue concerns the storage of passwords in an unencrypted manner within the global configuration file on the Jenkins master. This allows users with access to the master fi...

Hangzhou Double Harvest Network Technology Co., Ltd. website building system has SQL injection vulnerabilities

Hangzhou Double Harvest Network Technology Co., Ltd. is a Hangzhou network company focusing on product development and website construction in Xiasha. There is a SQL injection vulnerability in the website building system of Hangzhou Double Harvest Network Technology Co., Ltd, which can be exploit...

data-harvest.co.uk XSS vulnerability

Open Bug Bounty ID: OBB-691655 Description| Value ---|--- Affected Website:| data-harvest.co.uk Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| hidd...

OpenSSH 'auth2-gss.c' User Enumeration Vulnerability - Windows

OpenSSH is prone to a user enumeration vulnerability. Copyright C 2018 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Harvest: [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters

Hi @jorgeleria, I came across a potential reflected XSS vector while exploring platform.harvestapp.com functionality. At present, I have been unable to locate a functional payload, so would like to report this as HTML injection. Proof of Concept Steps to reproduce 1. Visit the below Demonstration...

qms.harvest.edu.au XSS vulnerability

Vulnerable URL: https://qms.harvest.edu.au/login.php?redirect=xss%22%20onfocus=%22alert%27OPENBUGBOUNTY%27%22%20autofocus=%22 Details: Description| Value ---|--- Patched:| No Latest check for patch:| 30.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| Unknown...

Harvest: Client can redirect payment, causing payment discrepancy between Harvest and PayPal

Vulnerability details When a client views an invoice through the web interface, it'll show a "Pay with PayPal" button when a standard PayPal integration has been enabled. Clicking this button will submit a POST request to PayPal. This request contains a business parameter, which is the receiver o...

Harvest: Login bypass on travel.██████████ aka "Harvest Spring Summit 2017"

Introduction I stumbled upon http://travel.████. It looks like the portal for Harvest Spring Summit 2017 travel planning and announcement. I was able to gain access to this portal and view the travel itineraries of some of the summit's participants. A note on scope I realize this domain is not...

Harvest Time & Expense Tracker - Customized SSL, Dangerous filesystem permissions vulnerabilities

HackApp vulnerability scanner discovered that application Harvest Time & Expense Tracker published at the 'play' market has multiple vulnerabilities...

Conservis Tasks - Harvest - BSD license, Dangerous filesystem permissions, GPL license vulnerabilities

HackApp vulnerability scanner discovered that application Conservis Tasks - Harvest published at the 'play' market has multiple vulnerabilities...

Harvest: Stored XSS in Restoring Archived Tasks

Hello Harvest Team, There is stored XSS in restoring archived/deleted tasks. POC: 1. Create a task with name with xss payload " 2. Now from Tasks, delete the task and the task will be archived. 3. Now Click on Manage archived tasks, to restore it back. 4. Click on the task with xss payload, XSS i...

Attack Leverages Windows Safe Mode

Researchers warn the Windows diagnostic feature Safe Mode can be used as a remote attack vector by hackers who already have access to a compromised PC or server. The method of attack is unusual, researchers said, and places attention on the diagnostic tool used to fix PC problems and remove...

Harvest: Possible to steal any protected files on Android

Hi. I have found an issue which allows to retrieve any files from /data/data/com.harvestapp/ directory. The problem is in exported activity com.harvestapp.app.EditExpenseActivity which accepts URI to a pdf to be processed and saved it on SD Card which is world accessible directory, but in real...

Harvest: Project Disclosure of all Harvest Instances

Hello, The POST request to create new Retainer in admin panel can use and disclose all the projects in @harvest not just available in admin's @harvest instance. Steps to Reproduce: 1. Login to application using admin credentials and traverse to Invoices Retainers + New Retainers 2. Select valid...

Harvest: CSRF token fixation in Sign in with Google

Hi There is CSRF token fixation in Sign in with Google at https://id.getharvest.com/sessions/new The state parameter is same for any time login https://id.getharvest.com/oauth2/callback?state=%7B%22intent%22:%22sign-in%22%7D&code=code Steps to reproduce 1. Go to...

Harvest: Content Injection at First & Last Name Parameters that could Lead Fraud Issue

I. Introduction === Harvest is a Simple Online Time Tracking Software that could allow people to manage their project timeline with their team. As we can see from the short introduction, Harvest allow the team member to collaborate each other to talk about their project and mostly all of those...