ghsa

A stored cross-site scripting (XSS) vulnerability in alkacon-OpenCMS v11.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field under the Upload Image module.

Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Jenkins Email Extension Plugin 2.96 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of files in the `email-templates/` directory in the Jenkins home directory on the controller file system. This form validation method requires the appropriate permission in Email Extension Plugin 2.96.1.

Jenkins Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately. The Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability, as the build name must be set before the build starts. Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build that caused an earlier build to be aborted.

Jenkins Email Extension Plugin 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This allows attackers to make another user stop watching an attacker-specified job. Email Extension Plugin 2.96.1 requires POST requests for the affected HTTP endpoint.

Jenkins Pipeline Utility Steps Plugin provides the `untar` and `unzip` Pipeline steps to extract archives into job workspaces. Pipeline Utility Steps Plugin 2.15.2 and earlier does not validate or limit file paths of files contained within these archives. This allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content. Pipeline Utility Steps Plugin 2.15.3 rejects extraction of files in `tar` and `zip` archives that would be placed outside the expected destination directory.

Jenkins Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to reset profiler statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.

Jenkins Sidebar Link Plugin allows specifying files in the `userContent/` directory for use as link icons. Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. Sidebar Link Plugin 2.2.2 ensures that only files located within the expected `userContent/` directory can be accessed.

Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters. This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. File Parameter Plugin 285.287.v4b_7b_29d3469d restricts the name (and resulting uploaded file name) of Stashed File Parameters.