Server-Side Request Forgery (SSRF)

github.com/jon4hz/jellysweep is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of the URL parameter in the /api/images/cache endpoint, which allows an authenticated attacker to make the server download arbitrary content from attacker-controlled URL...

EUVD-2014-5636

Malware in sbrugna...

EUVD-2020-0384

Malware in sbrugna...

EUVD-2022-2787

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2017-12621

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a SYSTEM entity with a URL and that entity is used in the body of...

VulnCheck KEV: CVE-2024-4879

ServiceNow Utah, Vancouver, and Washington DC Now Platform releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely...

Exploit for Improper Validation of Specified Type of Input in Servicenow

CVE-2024-4879 Exploit & PoC - Nuclei Template CVE-2024-4879 -...

CVE-2024-4879 Jelly Template Injection Vulnerability in ServiceNow UI Macros

ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted...

Storing Passwords in a Recoverable Format

Overview org.jenkins-ci.plugins:credentials-binding is a plugin that allows credentials to be bound to environment variables for use from miscellaneous build steps. Affected versions of this package are vulnerable to Storing Passwords in a Recoverable Format via the config-variables.jelly file,...

com.canoo:webtest (>=586 <=1393), com.flexiblewebsolutions.xdriveunit:xdriveunit (=0.3) +79 more potentially affected by CVE-2017-12621 via commons-jelly:commons-jelly (>=1.0 <=1.0-beta-4)

commons-jelly:commons-jelly MAVEN version =1.0, =586, =0.1, =1.0, =20050708.205531, =1.2, =1.0-M5, =1.0.1, =1.3, =1.9 - jepi:jepi =1.0 - marmalade:marmalade-compat-jelly =1.0-alpha-3 - maven-plugins:maven-sourceforge-plugin =1.3 and more Source cves: CVE-2017-12621 Source advisory:...

Improper Restriction of XML External Entity Reference in Jelly

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...

GHSA-6G33-82GC-3PW5 Improper Restriction of XML External Entity Reference in Jelly

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...

GHSA-38CH-X695-M794 Jenkins Groovy Postbuild Plugin vulnerable to Cross-site Scripting

A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI...

GHSA-QXH5-5R5P-5GVF Cross-Site Request Forgery in Jenkins Blue Ocean Plugin

A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. The vulnerability is found in: - blueocean-core-js/src/js/bundleStartup.js - blueocean-core-js/src/js/fetch.ts -...

GHSA-PGXV-H967-FW2Q Improper Neutralization of Input During Web Page Generation in Jenkins

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other us...

CVE-2017-12621

An XML External Entity XXE Injection vulnerability was found in Commons Jelly library. If a custom doctype entity is declared with a SYSTEM entity with a URL and that entity is used in the body of the Jelly file, the parser will attempt to connect to provided URL...

Jenkins 2.235.3 - &#039;tooltip&#039; Stored Cross-Site Scripting

Exploit Title: Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting Date: 11/12/2020 Exploit Author: gx1 Vendor Homepage: https://www.jenkins.io/ Software Link: https://updates.jenkins-ci.org/download/war/ Version: = 2.251 and = LTS 2.235.3 Tested on: any CVE : CVE-2020-2229 References:...

jackson-databind: Serialization gadgets in commons-jelly:commons-jelly

A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

jackson-databind: Serialization gadgets in commons-jelly:commons-jelly

A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Important: Red Hat Security Advisory: rh-maven35-jackson-databind security update

An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for eac...