CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28681
https://notcve.org/view.php?id=CVE-2023-28681
Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. • https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2926 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34785
https://notcve.org/view.php?id=CVE-2022-34785
Jenkins build-metrics Plugin 1.3 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them. Jenkins build-metrics Plugin 1.3 y anteriores, no lleva a cabo comprobaciones de permisos en múltiples endpoints HTTP, lo que permite a atacantes con permiso Overall/Read obtener información sobre trabajos que de otro modo serían inaccesibles para ellos • https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2643 • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34784
https://notcve.org/view.php?id=CVE-2022-34784
Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission. Jenkins build-metrics Plugin 1.3 no escapa a la descripción de la construcción en una de sus visualizaciones, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenada explotable por atacantes con permiso Build/Update • https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-1118 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-20621
https://notcve.org/view.php?id=CVE-2022-20621
Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. El plugin de Jenkins Metrics versiones 4.0.2.8 y anteriores, almacena una clave de acceso sin cifrar en su archivo de configuración global en el controlador de Jenkins, donde puede ser visualizado por usuarios con acceso al sistema de archivos del controlador de Jenkins • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1624 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 97%CPEs: 1EXPL: 2CVE-2019-10475 – Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-10475
A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin. Una vulnerabilidad de tipo cross-site scripting reflejado en Jenkins build-metrics Plugin, permite a atacantes inyectar HTML y JavaScript arbitrario en las páginas web provistas por este plugin. Jenkins Build-Metrics plugin version 1.3 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/47598 https://github.com/vesche/CVE-2019-10475 http://packetstormsecurity.com/files/155200/Jenkins-Build-Metrics-1.3-Cross-Site-Scripting.html http://www.openwall.com/lists/oss-security/2019/10/23/2 https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1490 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •