Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-223m-pgcq-f3xg: Jenkins Fortify Plugin HTML injection vulnerability

Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method. This results in an HTML injection vulnerability.

Fortify Plugin 22.2.39 removes HTML tags from the error message.

ghsa
#vulnerability#git

Jenkins Fortify Plugin HTML injection vulnerability

Moderate severity GitHub Reviewed Published Aug 22, 2023 to the GitHub Advisory Database • Updated Aug 22, 2023

Related news

CVE-2023-40336: Jenkins Security Advisory 2023-08-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.

CVE-2023-40340: Jenkins Security Advisory 2023-08-16

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

CVE-2023-40343: Jenkins Security Advisory 2023-08-16

Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

CVE-2023-40347: Jenkins Security Advisory 2023-08-16

Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

CVE-2023-40350: Jenkins Security Advisory 2023-08-16

Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.

CVE-2023-40351: Jenkins Security Advisory 2023-08-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier allows attackers to add or remove views from another user's favorite views tab bar.

CVE-2023-40345: Jenkins Security Advisory 2023-08-16

Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to.

CVE-2023-40349: Jenkins Security Advisory 2023-08-16

Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs.

CVE-2023-40338: Jenkins Security Advisory 2023-08-16

Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.

CVE-2023-40339: Jenkins Security Advisory 2023-08-16

Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.