Important: Red Hat Security Advisory: jenkins and jenkins-2-plugins security update

An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin

A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with...

WordPress WeSecur Security Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Software WeSecur Security Type Plugin Vulnerable versions = 1.2.1 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-24390 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID d9bfc2401aca Credits Prasanna V Balaji Requir...

jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin

A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with...

jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin

A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and...

CVE-2022-4537

The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supp...

CVE-2022-4537

CVE-2022-4537 covers Hide My WP Ghost – Security Plugin for WordPress. The issue is IP Address Spoofing via the X-Forwarded-For header, allowing logging and login checks to be bypassed. Affected versions are up to and including 5.0.18; PATCH is available in 5.0.20. Impact: potential unauthorized ...

CVE-2022-4537

The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supp...

CVE-2022-4537 Hide My WP Ghost – Security Plugin <= 5.0.18 - IP Address Spoofing to Protection Mechanism Bypass

The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supp...

PT-2023-14656 · WordPress · Hide My Wp Ghost – Security Plugin

Name of the Vulnerable Software and Affected Versions: The Hide My WP Ghost – Security Plugin plugin for WordPress versions up to, and including, 5.0.18 Description: The issue is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login...

WordPress Shield Security Plugin <= 17.0.17 is vulnerable to Cross Site Scripting (XSS)

Software Shield Security Type Plugin Vulnerable versions = 17.0.17 Fixed in 17.0.18 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0992 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID 814ad86ffa89 Credits Ramuel Gall Requir...

Cross site request forgery (csrf)

The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcodeactivatesnippets capability delete arbitrary log files on the server, including...

WordPress WP Cerber Security Plugin <= 9.1 is vulnerable to Cross Site Scripting (XSS)

Software WP Cerber Security Type Plugin Vulnerable versions = 9.1 Fixed in 9.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-4712 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID 381a6dfeb33d Credits Ramuel Gall Required...

Spotlight Social Media Feeds Plugin for WordPress < 1.4.3 Stored Cross-Site Scripting

The WordPress Spotlight Social Media Feeds Plugin installed on the remote host is affected by a stored cross-site scripting vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source data...

SiteGround Security Plugin for WordPress < 1.3.1 SQL injection

The WordPress SiteGround Security Plugin installed on the remote host is affected by a sql injection vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source data...

jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin

A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with...

CVE-2023-25806 Time discrepancy in authentication responses in OpenSearch

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the interna...

plugin: CSRF vulnerability in Script Security Plugin

A cross-site request forgery CSRF vulnerability in Jenkins Script Security Plugin 1158.v7c1b73a69a08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver...

jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions

A flaw was found in the script-security Jenkins Plugin. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. The affected version of the script-security Plugin stores whole-script approvals as the SHA-1 hash of the approved script...

jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin

A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and...