CloudBees Jenkins Tinfoil Security Plugin Information Disclosure Vulnerability

CloudBees Jenkins is the United States CloudBees company's set of Java-based development of continuous integration tools , it is mainly used to monitor the continuous software version of the release/testing project and some of the timed execution of the task . Tinfoil Security Plugin is used in o...

CVE-2018-1999041

An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration...

CVE-2018-1999041

An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration...

Design/Logic Flaw

An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration...

CVE-2018-1999041

CVE-2018-1999041 affects Jenkins with the Tinfoil Security Plugin (1.6.1 and earlier). The vulnerability is in TinfoilScanRecorder.java where an attacker with file-system access to the Jenkins master can access the API secret key stored in the plugin configuration. The impact is exposure of sensi...

WordPress iThemes Security Plugin < 7.0.3 - SQL Injection Vulnerability

Exploit for php platform in category web applications Exploit Title: WordPress Plugin iThemes Securitybetter-wp-security = 7.0.2 - Authenticated SQL Injection Exploit Author: Çlirim Emini Website: https://www.sentry.co.com/ Vendor Homepage: https://ithemes.com/ Software Link:...

iThemes Security <= 7.0.2 - Authenticated SQL Injection

The iThemes Security better-wp-security plugin before 7.0.3 for WordPress allows SQL Injection by attackers with Admin privileges via the logs page. Vulnerability description: iThemes Security appears to be vulnerable to time-based SQL-Injection. Parameter orderby is vulnerable because backend...

Security Bulletin: Vulnerability in RC4 stream cipher affects IBM® DB2® LUW (CVE-2015-2808)

Summary The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM DB2 LUW. Vulnerability Details CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerabilit...

CVE-2017-1000505

In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type...

Jenkins Script Security Plugin Arbitrary File Read Vulnerability

CloudBees Jenkins CI formerly known as Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools , it is mainly used to monitor the continuous software release/testing projects and some of the timed execution of the task . Script Security...

CloudBees Jenkins Script Security plugin security bypass vulnerability

CloudBees Jenkins formerly known as Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools , the tool is mainly used to monitor the order of repetitive work . Script Security is one of the plug-ins used to detect the script security . A...

CVE-2017-1000107

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection...

Type confusion

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection...

CVE-2017-1000107

CVE-2017-1000107 affects the Jenkins Script Security Plugin. The root cause is that sandboxing restrictions were not applied to constructor invocations via positional argument lists, super constructors, method references, or type coercion expressions, allowing potential bypass of sandbox protecti...

CVE-2017-1000107

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection...

CloudBees Jenkins Script Security plugin security bypass vulnerability

CloudBees Jenkins CI formerly known as Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools , it is mainly used to monitor the continuous software release/testing projects and some of the timed execution of the task . Script Security...

WordPress Total Security plugin <= 3.4 - Persistent Cross-Site Scripting (XSS) Vulnerability

With the 404 log feature is enabled, the function getRefe doesn't sanitize $SERVER'HTTPREFERER'. When the output is shown - the referer is not escaped. Solution Update the plugin...

AJAX Random Posts <= 0.3.3 - Unauthenticated PHP Object Injection

The plugin ajax-random-posts insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. The original researcher notified WordPress Plugins team. Attack is exploitable over AJAX calls on sites with the...

Metasploit Wrapup, 4.14.4 through 4.14.11

Editor's Note: While this edition of the Metasploit Wrapup is a little late my fault, sorry, we're super excited that it's our first ever Metasploit Wrapup to be authored by an non-Rapid7 contributor. We'd like to thank claudijd -long-time Metasploit contributor, Mozilla security wrangler, and...

CVE-2016-3102

The CVE-2016-3102 issue affects the Jenkins Script Security plugin prior to 1.18.1, where a plugin that performs direct field access or get/set array operations could bypass the Groovy sandbox protection. Affected product: Jenkins Script Security plugin (versions