CVSS: 7.3EPSS: 1%CPEs: 1EXPL: 0CVE-2024-28153
https://notcve.org/view.php?id=CVE-2024-28153
06 Mar 2024 — Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability. El complemento Jenkins OWASP Dependency-Check 5.4.5 y versiones anteriores no escapa a los metadatos de vulnerabilidad de los informes Dependency-Check, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28151
https://notcve.org/view.php?id=CVE-2024-28151
06 Mar 2024 — Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it. Jenkins HTML Publisher Plugin 1.32 y versiones anteriores archiva enlaces simbólicos no válidos en directorios de informes de agentes y los recrea en el controlador, lo que permite a los atacantes con permi... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28150
https://notcve.org/view.php?id=CVE-2024-28150
06 Mar 2024 — Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Jenkins HTML Publisher Plugin 1.32 y versiones anteriores no escapan a los nombres de trabajos, nombres de informes y títulos de páginas de índice que se muestran como parte del frame del informe, lo que genera una vulnerabilidad de Cross-Site Scr... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28149 – jenkins-2-plugins: Improper input sanitization in HTML Publisher Plugin
https://notcve.org/view.php?id=CVE-2024-28149
06 Mar 2024 — Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists. El complemento Jenkins HTML Publisher 1.16 a 1.32 (ambos inclusive) no sanitizada adecuadamente la entrada, lo que permite a los atacantes con permiso Elemento/Configurar implementar ataques de Cross-Site Scripting (XSS) y determinar si ... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2216
https://notcve.org/view.php?id=CVE-2024-2216
06 Mar 2024 — A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. Una verificación de permiso faltante en un punto final HTTP en el complemento Docker-build-step de Jenkins 2.11 y versiones anteriores permite a los atacantes con permiso general/lectura co... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2215
https://notcve.org/view.php?id=CVE-2024-2215
06 Mar 2024 — A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. Una vulnerabilidad de falsificación de solicitud entre sitios (CSRF) en el complemento Docker-build-step de Jenkins 2.11 y versiones anteriores permite a los atacantes conectarse a una URL de socket TCP o Unix espec... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •