CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41933
https://notcve.org/view.php?id=CVE-2023-41933
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. El complemento Jenkins Job Configuration History 1227.v7a_79fc4dc01f y versiones anteriores no configuran su analizador XML para evitar ataques de entidad externa XML (XXE). • http://www.openwall.com/lists/oss-security/2023/09/06/9 https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41932
https://notcve.org/view.php?id=CVE-2023-41932
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'. El complemento Jenkins Job Configuration History 1227.v7a_79fc4dc01f y versiones anteriores no restringen los parámetros de consulta de 'timestamp' en múltiples endpoints, lo que permite a los atacantes eliminar directorios especificados por el atacante en el sistema de archivos del controlador Jenkins siempre que contengan un archivo llamado 'history.xml'. • http://www.openwall.com/lists/oss-security/2023/09/06/9 https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41931
https://notcve.org/view.php?id=CVE-2023-41931
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability. El complemento Jenkins Job Configuration History 1227.v7a_79fc4dc01f y versiones anteriores no sanitizan ni escapan el valor timestamp de las entradas de historial al representar una entrada de historial en la vista de historial, lo que da como resultado una vulnerabilidad de Cross-Site Scripting (XSS) almacenada. • http://www.openwall.com/lists/oss-security/2023/09/06/9 https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3233 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41930
https://notcve.org/view.php?id=CVE-2023-41930
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. El complemento Jenkins Job Configuration History 1227.v7a_79fc4dc01f y versiones anteriores no restringe el parámetro de consulta 'name' al renderizar una entrada de historial, lo que permite a los atacantes hacer que Jenkins renderice un historial de configuración manipulado que no fue creado por el complemento. • http://www.openwall.com/lists/oss-security/2023/09/06/9 https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3233 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38664
https://notcve.org/view.php?id=CVE-2022-38664
Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names. Jenkins Job Configuration History Plugin versiones 1165.v8cc9fd1f4597 y anteriores, no escapa el nombre del trabajo en la página System Configuration History, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado explotable por atacantes capaces de configurar los nombres de los trabajos. • http://www.openwall.com/lists/oss-security/2022/08/23/2 https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2765 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •