Malicious code in twitter-webhook-boilerplate-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d4c54edfa90310f933c9c48f23b3e0d63b678c99863e73ed61a71cfbc0cea32e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6708 Malicious code in twitter-webhook-boilerplate-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d4c54edfa90310f933c9c48f23b3e0d63b678c99863e73ed61a71cfbc0cea32e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in webhook-provisioner (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 697ea38acf4a193645bda704d70e5d5e598227df1456666b6997d1c09ffcbacd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-7096 Malicious code in webhook-provisioner (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 697ea38acf4a193645bda704d70e5d5e598227df1456666b6997d1c09ffcbacd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in collection-events-discord-webhook (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5d12cf97df99bb97e69ef2b265ec820acb8cc39d7026d03d62e053b706505142 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-5Q86-62XR-3R57 Uses of deprecated API can be used to cause DoS in user-facing endpoints

Impact Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll. ioutil.ReadAll reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. Eventsources susceptible to an out-of-memor...

Uses of deprecated API can be used to cause DoS in user-facing endpoints

Impact Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll. ioutil.ReadAll reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. Eventsources susceptible to an out-of-memor...

Account Takeover via Webhook Handlebars + API Reset Password

Description Through the Webhook functionality, the attacker is able to use Handlebars to capture sensitive user data. Capturing the emailverificationtoken, which through the API I found the PasswordForget function, enabling account takeover via password reset. Steps 1. - Create Table 2. - Select...

Server-Side Request Forgery in gogs webhook

Impact The malicious user is able to discover services in the internal network through webhook functionality. All installations accepting public traffic are affected. Patches Webhook payload URLs are revalidated before each delivery to make sure they are not resolved to blocked local network...

GHSA-W689-557M-2CVQ Server-Side Request Forgery in gogs webhook

Impact The malicious user is able to discover services in the internal network through webhook functionality. All installations accepting public traffic are affected. Patches Webhook payload URLs are revalidated before each delivery to make sure they are not resolved to blocked local network...

Server-side Request Forgery (SSRF)

github.com/gogs/gogs is vulnerable to server-side request forgery. The vulnerability exists because the isLocalHostname function of webhook.go does not properly validate the IP addresses before redirect, allowing an attacker to gain access to response data by making an HTTP request to untrusted U...

PT-2022-13774 · Gogs · Gogs

Name of the Vulnerable Software and Affected Versions: gogs/gogs versions prior to 0.12.8 Description: The issue is related to a Server-Side Request Forgery SSRF in the GitHub repository gogs/gogs. This allows a malicious user to discover services in the internal network through webhook...

XXE vulnerability in Jenkins Generic Webhook Trigger Plugin

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to call webhooks configured to extract parameters using XPath to have Jenkins parse a crafted XML request body that uses...

GHSA-732F-W585-GMPC XXE vulnerability in Jenkins Generic Webhook Trigger Plugin

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to call webhooks configured to extract parameters using XPath to have Jenkins parse a crafted XML request body that uses...

Credentials stored in plain text by Jenkins tfs Plugin

tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system...

GHSA-W6C2-JRHH-JRXG Credentials stored in plain text by Jenkins tfs Plugin

tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system...

GHSA-JP57-4X34-5V94 Mattermost Server is vulnerable to webhook and slash command manipulation

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API...

Mattermost Server has mishandled webhook access control

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case...

Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer via the rest.AnonymousClientConfig method that does not effectively clear service account credentials loaded using rest.InClusterConfig. An attacker can gain...

Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer via the rest.AnonymousClientConfig method that does not effectively clear service account credentials loaded using rest.InClusterConfig. An attacker can gain...