CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10393 – jenkins-script-security-plugin: handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts
https://notcve.org/view.php?id=CVE-2019-10393
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts. • http://www.openwall.com/lists/oss-security/2019/09/12/2 https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1538 https://access.redhat.com/security/cve/CVE-2019-10393 https://bugzilla.redhat.com/show_bug.cgi?id=1819697 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10399 – jenkins-script-security-plugin: handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts
https://notcve.org/view.php?id=CVE-2019-10399
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts. • http://www.openwall.com/lists/oss-security/2019/09/12/2 https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1538 https://access.redhat.com/security/cve/CVE-2019-10399 https://bugzilla.redhat.com/show_bug.cgi?id=1819713 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10394 – jenkins-script-security-plugin: handling of property names in property expressions on the left-hand side of assignment expression leads to execute arbitrary code in sandboxed scripts
https://notcve.org/view.php?id=CVE-2019-10394
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts. • http://www.openwall.com/lists/oss-security/2019/09/12/2 https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1538 https://access.redhat.com/security/cve/CVE-2019-10394 https://bugzilla.redhat.com/show_bug.cgi?id=1819692 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10400 – jenkins-script-security-plugin: handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts
https://notcve.org/view.php?id=CVE-2019-10400
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts. • http://www.openwall.com/lists/oss-security/2019/09/12/2 https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1538 https://access.redhat.com/security/cve/CVE-2019-10400 https://bugzilla.redhat.com/show_bug.cgi?id=1819708 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-9812 – Mozilla Firefox sync Universal Cross-Site Scripting Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2019-9812
Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69. Dado un proceso de contenido comprometido dentro del sandbox debido a una vulnerabilidad separada, es posible escapar de ese sandbox cargando accounts.firefox.com en ese proceso y forzando un inicio de sesión en una cuenta de Firefox Sync maliciosa. La configuración de preferencias que deshabilita el sandbox es sincronizada con la máquina local y el navegador comprometido se reiniciará sin el sandbox si es activado un bloqueo. • https://bugzilla.mozilla.org/show_bug.cgi?id=1538008 https://bugzilla.mozilla.org/show_bug.cgi?id=1538015 https://www.mozilla.org/security/advisories/mfsa2019-25 https://www.mozilla.org/security/advisories/mfsa2019-26 https://www.mozilla.org/security/advisories/mfsa2019-27 https://access.redhat.com/security/cve/CVE-2019-9812 https://bugzilla.redhat.com/show_bug.cgi?id=1748660 • CWE-250: Execution with Unnecessary Privileges •