5 results (0.025 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121 • CWE-276: Incorrect Default Permissions •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. Jenkins AppSpider Plugin versiones 1.0.12 y anteriores, almacena una contraseña sin cifrar en su archivo de configuración global en el controlador de Jenkins, donde puede ser visualizado por parte de los usuarios con acceso al sistema de archivos del controlador de Jenkins • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2058 • CWE-522: Insufficiently Protected Credentials •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

In AppSpider installer versions prior to 7.2.126, the AppSpider installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during an installation and any arbitrary code executable using the same file name. En el instalador AppSpider versiones anteriores a 7.2.126, el instalador AppSpider llama a un ejecutable que puede ser colocado en el directorio apropiado por un atacante con acceso a la máquina local. Esto impediría que el instalador distinga entre un ejecutable válido llamado durante una instalación y cualquier ejecutable de código arbitrario usando el mismo nombre de archivo • https://help.rapid7.com/appspider/release-notes/index.html?pid=7.2.126 • CWE-427: Uncontrolled Search Path Element •

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. This behavior could make future session hijacking attempts easier, since the user could believe a session was closed when it was not. This issue affects Rapid7 AppSpider version 3.8.213 and prior versions, and is fixed in version 3.8.215. El Plugin de Chrome para Rapid7 AppSpider puede mantener activas las sesiones del navegador incorrectamente después de grabar una macro, inclusive después de reiniciar el navegador Chrome. Este comportamiento podría facilitar los futuros intentos de secuestro de sesión, ya que el usuario podría creer que una sesión fue cerrada cuando no era así. • https://help.rapid7.com/appspiderenterprise/release-notes/?rid=3.8.215 • CWE-613: Insufficient Session Expiration •