CVSS: 7.3EPSS: 1%CPEs: 1EXPL: 0CVE-2024-28153
https://notcve.org/view.php?id=CVE-2024-28153
06 Mar 2024 — Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability. El complemento Jenkins OWASP Dependency-Check 5.4.5 y versiones anteriores no escapa a los metadatos de vulnerabilidad de los informes Dependency-Check, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas. • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28151
https://notcve.org/view.php?id=CVE-2024-28151
06 Mar 2024 — Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it. Jenkins HTML Publisher Plugin 1.32 y versiones anteriores archiva enlaces simbólicos no válidos en directorios de informes de agentes y los recrea en el controlador, lo que permite a los atacantes con permi... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28150
https://notcve.org/view.php?id=CVE-2024-28150
06 Mar 2024 — Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Jenkins HTML Publisher Plugin 1.32 y versiones anteriores no escapan a los nombres de trabajos, nombres de informes y títulos de páginas de índice que se muestran como parte del frame del informe, lo que genera una vulnerabilidad de Cross-Site Scr... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28149 – jenkins-2-plugins: Improper input sanitization in HTML Publisher Plugin
https://notcve.org/view.php?id=CVE-2024-28149
06 Mar 2024 — Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists. El complemento Jenkins HTML Publisher 1.16 a 1.32 (ambos inclusive) no sanitizada adecuadamente la entrada, lo que permite a los atacantes con permiso Elemento/Configurar implementar ataques de Cross-Site Scripting (XSS) y determinar si ... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2216
https://notcve.org/view.php?id=CVE-2024-2216
06 Mar 2024 — A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. Una verificación de permiso faltante en un punto final HTTP en el complemento Docker-build-step de Jenkins 2.11 y versiones anteriores permite a los atacantes con permiso general/lectura co... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2215
https://notcve.org/view.php?id=CVE-2024-2215
06 Mar 2024 — A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. Una vulnerabilidad de falsificación de solicitud entre sitios (CSRF) en el complemento Docker-build-step de Jenkins 2.11 y versiones anteriores permite a los atacantes conectarse a una URL de socket TCP o Unix espec... • http://www.openwall.com/lists/oss-security/2024/03/06/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23905
https://notcve.org/view.php?id=CVE-2024-23905
24 Jan 2024 — Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. El complemento Jenkins Red Hat Dependency Analytics 0.7.1 y versiones anteriores deshabilita mediante programación la protección de la política de seguridad de contenido para el contenido generado por el usuario en espacios de trabajo, artefactos archivados, etc. que Jenkins ofrece para ... • http://www.openwall.com/lists/oss-security/2024/01/24/6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23904
https://notcve.org/view.php?id=CVE-2024-23904
24 Jan 2024 — Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system. Jenkins Log Command Plugin 1.0.2 y versiones anteriores no desactivan una función de su analizador de comandos que reemplaza un carácter '@' seguido de una ruta de archivo en un argumento con el contenido del ar... • http://www.openwall.com/lists/oss-security/2024/01/24/6 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23903
https://notcve.org/view.php?id=CVE-2024-23903
24 Jan 2024 — Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. El complemento Jenkins GitLab Branch Source 684.vea_fa_7c1e2fe3 y versiones anteriores utiliza una función de comparación de tiempo no constante al verificar si el token de webhook proporcionado y el esperado son iguales, lo que potenc... • http://www.openwall.com/lists/oss-security/2024/01/24/6 • CWE-697: Incorrect Comparison •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23902
https://notcve.org/view.php?id=CVE-2024-23902
24 Jan 2024 — A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL. Una vulnerabilidad de cross-site request forgery (CSRF) en el complemento Jenkins GitLab Branch Source 684.vea_fa_7c1e2fe3 y versiones anteriores permite a los atacantes conectarse a una URL especificada por el atacante. • http://www.openwall.com/lists/oss-security/2024/01/24/6 • CWE-352: Cross-Site Request Forgery (CSRF) •