CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4301 – CSRF vulnerability in Fortify Plugin allow capturing credentials
https://notcve.org/view.php?id=CVE-2023-4301
21 Aug 2023 — A cross-site request forgery (CSRF) vulnerability in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una vulnerabilidad de falsificación de solicitud de sitio cruzado (CSRF) en Jenkins Fortify Plugin 22.1.38 y anteriores permite a los atacantes conectarse a una URL especificada por el atacante utilizando ID de credenciales especificadas por el... • https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3115 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4302 – Missing permission checks in Fortify Plugin allow capturing credentials
https://notcve.org/view.php?id=CVE-2023-4302
21 Aug 2023 — A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. La falta de comprobación de permisos en Jenkins Fortify Plugin 22.1.38 y anteriores permite a los atacantes con permiso Overall/Read conectarse a una URL especificada por el atacante utilizando ID de credenciales especificadas por el atac... • https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3115 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4303 – HTML injection vulnerability in Fortify Plugin
https://notcve.org/view.php?id=CVE-2023-4303
21 Aug 2023 — Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method, resulting in an HTML injection vulnerability. El plugin Jenkins Fortify v22.1.38 y anteriores no escapa el mensaje de error para un método de validación de formularios, lo que resulta en una vulnerabilidad de inyección HTML. • https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3140 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25838
https://notcve.org/view.php?id=CVE-2022-25838
24 Feb 2022 — Laravel Fortify before 1.11.1 allows reuse within a short time window, thus calling into question the "OT" part of the "TOTP" concept. Laravel Fortify versiones anteriores a 1.11.1, permite el reúso dentro de una ventana de tiempo corta, lo que pone en duda la parte "OT" del concepto "TOTP" • https://github.com/laravel/fortify/issues/201#issuecomment-1009282153 • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25188
https://notcve.org/view.php?id=CVE-2022-25188
15 Feb 2022 — Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker. Jenkins Fortify Plugin versiones 20.2.34 y anteriores, no sanea los parámetros appName y appVersion de sus pasos de Pipeline, permitiendo a atacantes con permiso Item/Configure escribir o sobrescribir archivos .xml en el s... • http://www.openwall.com/lists/oss-security/2022/02/15/2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2107
https://notcve.org/view.php?id=CVE-2020-2107
29 Jan 2020 — Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. Jenkins Fortify Plugin versiones 19.1.29 y anteriores, almacenan las contraseñas del servidor proxy sin cifrar en los archivos de trabajo config.xml en el maestro de Jenkins, donde pueden ser visualizadas por los usuarios con permiso Extended Read o acceso al sistema de archivos... • http://www.openwall.com/lists/oss-security/2020/01/29/1 • CWE-522: Insufficiently Protected Credentials •