38 matches found
EUVD-2013-6191
Malware in sbrugna...
EUVD-2022-34319
Malicious code in bioql PyPI...
CVE-2022-2013
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space...
CVE-2021-38263
Cross-site scripting XSS vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script...
CVE-2024-8980
The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently...
GHSA-CHJ2-4VG7-HHG3 Liferay Portal and Liferay DXP Vulnerable to CSRF in the Script Console
The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28, 7.0 GA through fix pack 102 and 6.2 GA through fix pack 173 does not sufficiently...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the Script Console process. An attacker can execute arbitrary Groovy scripts by enticing a user to visit a crafted URL or by leveraging a cross-site scripting vulnerability. Remediation Upgrade...
PT-2024-39349 · Liferay · Liferay Dxp +1
Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 6.2 GA through fix pack 173 Liferay Portal versions 7.0 GA through fix pack 102 Liferay Portal versions 7.0.0 through 7.4.3.101 Liferay DXP versions 7.1 GA through fix pack 28 Liferay DXP versions 7.2 GA through fix pa...
Jenkins-CI Unauthenticated Script-Console Scanner
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'cgi' class MetasploitModule 'Jenkins-CI Unauthenticated Script-Console Scanner', 'Description' = %q This module scans for unauthenticated Jenkins-CI script...
Hackers Exploiting Jenkins Script Console for Cryptocurrency Mining Attacks
Cybersecurity researchers have found that it's possible for attackers to weaponize improperly configured Jenkins Script Console instances to further criminal activities such as cryptocurrency mining. "Misconfigurations such as improperly set up authentication mechanisms expose the '/script'...
Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective
In this blog entry, we will discuss how the Jenkins Script Console can be weaponized by attackers for cryptomining activity if not configured properly...
GHSA-98FP-R22G-WPJ7 Jenkins CSRF protection bypass vulnerability
Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs. In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided value...
PT-2023-25161 · Jenkins · Jenkins
Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.399 and earlier, LTS versions 2.387.3 and earlier Description: The issue arises when POST requests are sent to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a...
Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks
A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively...
CVE-2022-2013
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space...
CVE-2022-2013
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space...
Code injection
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space...
CVE-2022-2013
The CVE-2022-2013 issue affects Octopus Server versions after 2022.1.1495 and before 2022.1.2647. If private spaces are enabled via the experimental feature flag, all new users could access the Script Console within their private space, indicating an exposure of scripting capabilities to unintend...
GHSA-FFMM-5WW2-G3Q4 Liferay Portal and Liferay DXP cross-site scripting (XSS) vulnerability via the script console
Liferay Server Admin Web before 4.0.12 from Liferay Portal v7.3.2 and below and Liferay DXP v7.0 and below were discovered to contain a cross-site scripting XSS vulnerability via the script console under the Server module...
PT-2022-10703 · Liferay · Liferay Dxp +1
Name of the Vulnerable Software and Affected Versions: Liferay Portal versions prior to 7.3.2 Liferay DXP versions prior to 7.0 fix pack 101 Liferay DXP versions prior to 7.1 fix pack 20 Liferay DXP versions prior to 7.2 fix pack 10 Description: A cross-site scripting XSS issue exists in the Serv...