A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-24437: Jenkins Security Advisory 2023-01-24

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

CVE-2023-24440: Jenkins Security Advisory 2023-01-24

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVE-2023-24450: Jenkins Security Advisory 2023-01-24

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

CVE-2023-24425: Jenkins Security Advisory 2023-01-24

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVE-2023-24456: Jenkins Security Advisory 2023-01-24

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-24433: Jenkins Security Advisory 2023-01-24

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

### Impact

Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password.

### Patches

Versions 19.4.22 and 20.0.19 contain patches.

### Workarounds

None

### References

See https://hackerone.com/reports/1086752

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2021-21395

**magento-lts Reset Password not protected against well-timed CSRF**

**Package**

composer openmage/magento-lts (Composer)

**Affected versions**

< 19.4.22

\>= 20.0.0, < 20.0.19

**Patched versions**

19.4.22

20.0.19

**Description**

Published to the GitHub Advisory Database

Jan 26, 2023

**Weaknesses**

**GHSA ID**

GHSA-r3c9-9j5q-pwv4

**Source code**

GHSA-r3c9-9j5q-pwv4: magento-lts Reset Password not protected against well-timed CSRF

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

**Cross-Site Request Forgery in modoboa**

Moderate severity GitHub Reviewed Published Jan 23, 2023 • Updated Jan 23, 2023

GHSA-9c64-x3cx-vgmm: Cross-Site Request Forgery in modoboa

The Booster for WooCommerce WordPress plugin before 6.0.1, Booster Plus for WooCommerce WordPress plugin before 6.0.1, Booster Elite for WooCommerce WordPress plugin before 6.0.1 have either flawed CSRF checks or are missing them completely in numerous places, allowing attackers to make logged in users perform unwanted actions via CSRF attacks

Tag

#csrf