Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly...

CVE-2019-10405

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly...

Cross site scripting

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly...

CVE-2019-10405

CVE-2019-10405 affects Jenkins 2.196 and earlier, and LTS 2.176.3 and earlier. The vulnerability causes the server to print the value of the cookie in the /whoAmI/ URL, despite the cookie being marked HttpOnly. This enables an attacker who can exploit another XSS vulnerability to obtain the HTTP ...

Citrix Access Gateway information leak

HTTP session cookie is passed through HTTP GET request parameters, making it possible to leak it value thorugh Referer: field or in the browsing history...