PT-2024-39634 · Linear · Linear Emerge E3-Series

Name of the Vulnerable Software and Affected Versions: Linear eMerge e3-Series versions 1.00-07 Description: The Linear eMerge e3-Series is vulnerable to an OS command injection issue. A remote and unauthenticated attacker can execute arbitrary OS commands via the login id parameter when invoking...

BIT-JENKINS-2024-43045

Jenkins LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views"...

Improper Access Control

org.jenkins-ci.main, jenkins-core is vulnerable to Improper Access Control. The vulnerability is caused due to a missing permission check in an HTTP end point. This allows attackers with Overall/Read permission to access other users' "My Views" and attackers with global View/Configure and...

CVE-2024-43045

A flaw was found in Jenkins. A missing permission check in an HTTP endpoint allows attackers with Overall/Read permission to access other users' "My Views" or attackers with global View/Configure and View/Delete permissions to change other users' "My Views". Mitigation Mitigation for this issue i...

GHSA-8PV9-QH96-9HC6 Jenkins does not perform a permission check in an HTTP endpoint

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...

Jenkins does not perform a permission check in an HTTP endpoint

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...

CVE-2024-43045

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views"...

CVE-2024-43045

Jenkins Core: CVE-2024-43045 affects Jenkins 2.470 and earlier (including LTS 2.452.3 and earlier). It does not perform a permission check on a specific HTTP endpoint, allowing users with Overall/Read (and with some broader permissions) to access other users’ My Views, and potentially to alter th...

Jenkins LTS < 2.452.4 / Jenkins weekly < 2.471 Multiple Vulnerabilities

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.452.4 or Jenkins weekly prior to 2.471. It is, therefore, affected by multiple vulnerabilities: - Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent...

CVE-2024-39598 [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)

SAP CRM WebClient UI Framework allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the applicati...

CVE-2024-6163

Certain http endpoints of Checkmk in Checkmk 2.3.0p10 2.2.0p31, 2.1.0p46, = 2.0.0p39 allows remote attacker to bypass authentication and access data...

CVE-2024-6163 local IP restriction of internal HTTP endpoints

Certain http endpoints of Checkmk in Checkmk 2.3.0p10 2.2.0p31, 2.1.0p46, = 2.0.0p39 allows remote attacker to bypass authentication and access data...

CVE-2024-6163 local IP restriction of internal HTTP endpoints

Certain http endpoints of Checkmk in Checkmk 2.3.0p10 2.2.0p31, 2.1.0p46, = 2.0.0p39 allows remote attacker to bypass authentication and access data...

CVE-2024-37393

SecurEnvoy MFA has multiple LDAP injection vulnerabilities in versions before 9.4.514. The DESKTOP service at the /secserver HTTP endpoint validates input improperly, enabling unauthenticated remote attackers to exfiltrate Active Directory data (potentially including the cleartext ms-Mcs-AdmPwd u...

Reflected XSS in Metrics Web Page

Reflected XSS in Sidekiq Web UI via the /metrics HTTP end-point and the substr query param: https://host/sidekiq/metrics?substr=foot%22%3E%3Cscript%20src=%22payload%22%20/%3E...

Jenkins docker-build-step Plugin missing permission check

A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting futu...

GHSA-8H2M-54WH-GWJ3 Jenkins docker-build-step Plugin missing permission check

A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting futu...

CVE-2024-2216

A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting futu...

Design/Logic Flaw

A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting futu...

CVE-2024-28155

Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names...