Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Email Extension Plugin
*   Flaky Test Handler Plugin
*   Pipeline Maven Integration Plugin
*   Yet Another Build Visualizer Plugin

**Descriptions****Stored XSS vulnerability in help icons**

**SECURITY-1955 / CVE-2020-2229**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values.

This results in a stored cross-site scripting (XSS) vulnerability.

Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.

**Stored XSS vulnerability in project naming strategy**

**SECURITY-1957 / CVE-2020-2230**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.

Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.

**Stored XSS vulnerability in 'Trigger builds remotely'**

**SECURITY-1960 / CVE-2020-2231**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.

**SMTP password transmitted and displayed in plain text by Email Extension Plugin**

**SECURITY-1975 / CVE-2020-2232**  
**Severity (CVSS):** Low  
**Affected plugin: email-ext**  
**Description:**

Email Extension Plugin stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller as part of its configuration.

While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by Email Extension Plugin 2.72 and 2.73. This can result in exposure of the password.

Email Extension Plugin 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field.

**Missing permission check in Pipeline Maven Integration Plugin allows enumerating credentials IDs**

**SECURITY-1794 (1) / CVE-2020-2233**  
**Severity (CVSS):** Medium  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3 requires the appropriate permissions.

**CSRF vulnerability and missing permission check in Pipeline Maven Integration Plugin allow capturing credentials**

**SECURITY-1794 (2) / CVE-2020-2234 (permission check), CVE-2020-2235 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in a method implementing form validation.

This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Pipeline Maven Integration Plugin 3.8.3 requires POST requests and Job/Configure permission for the affected form validation method.

**Stored XSS vulnerability in Yet Another Build Visualizer Plugin**

**SECURITY-1940 / CVE-2020-2236**  
**Severity (CVSS):** High  
**Affected plugin: yet-another-build-visualizer**  
**Description:**

Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.

Yet Another Build Visualizer Plugin 1.12 escapes tooltip content.

**CSRF vulnerability in Flaky Test Handler Plugin**

**SECURITY-1763 / CVE-2020-2237**  
**Severity (CVSS):** Medium  
**Affected plugin: flaky-test-handler**  
**Description:**

Flaky Test Handler Plugin 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1763: Medium
*   SECURITY-1794 (1): Medium
*   SECURITY-1794 (2): High
*   SECURITY-1940: High
*   SECURITY-1955: High
*   SECURITY-1957: High
*   SECURITY-1960: High
*   SECURITY-1975: Low

**Affected Versions**

*   Jenkins weekly up to and including 2.251
*   Jenkins LTS up to and including 2.235.3
*   **Email Extension Plugin** up to and including 2.73
*   **Flaky Test Handler Plugin** up to and including 1.0.4
*   **Pipeline Maven Integration Plugin** up to and including 3.8.2
*   **Yet Another Build Visualizer Plugin** up to and including 1.11

**Fix**

*   Jenkins weekly should be updated to version 2.252
*   Jenkins LTS should be updated to version 2.235.4
*   **Email Extension Plugin** should be updated to version 2.74
*   **Pipeline Maven Integration Plugin** should be updated to version 3.8.3
*   **Yet Another Build Visualizer Plugin** should be updated to version 1.12

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Flaky Test Handler Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Bjoern Kasteleiner** for SECURITY-1975
*   **Pierre Beitz, CloudBees, Inc.** for SECURITY-1957
*   **Tim Jacomb** for SECURITY-1794 (1), SECURITY-1794 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1763, SECURITY-1940, SECURITY-1955, SECURITY-1960

CVE-2020-2230: Jenkins Security Advisory 2020-08-12

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.

CVE-2020-2229: Jenkins Security Advisory 2020-08-12

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

CVE-2020-2231: Jenkins Security Advisory 2020-08-12

Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202004008

CVE ID

CVE-2020-12781

CVSS

5.7 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

影響產品

Combodo iTop 2.7.0-beta2之前的版本

問題描述

Combodo iTop含有跨站請求攻擊之漏洞，攻擊者可以藉由惡意網頁來偽造請求，並執行特定指令。

解決方法

更新至Combodo iTop 2.7.1

漏洞通報者

黃榆翔、蔡仲南、Tseng, Yung-Hao

公開日期

2020-08-10

CVE-2020-12781: Combodo iTop - CSRF

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

CVE-2020-11110: grafana/CHANGELOG.md at main · grafana/grafana

OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.

CVE-2020-15074: Access Server Release Notes | OpenVPN

An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.

I recently took part in a live bug hunting event:

> — OnSecurity - We're Hiring! (@HackersOnDemand) June 9, 2020

As part of these event, we reviewed the product Navigate CMS. In order to perform this review I setup a local instance of this tool, using version v2.9 r1433 (2020/06).

While taking part of this event, I managed to help identify several findings:

*   User enumeration
*   Session information leakage
*   User password reset vulnerability
*   Store Cross-Site Scripting (XSS)
*   Reflected Cross-Site Scripting (XSS)

**User Enumeration - CVE-2020-14016**

Navigate CMS has a _Forgot password?_ feature, which allows a user to reset their password if they forgot what their current password is.

Navigate CMS login page with _Forgot password?_ link.

In order to use this feature the user supplies either their username associated with their account, or the email address which is associate with their account.

Forgot password feature.

When entering the username or email address of a non-existent user, it produces and error stating that the user couldn't be found:

Result of providing details of non-existent user.

When reviewing the HTTP response it can clearly be seen that the HTTP response responds with the message _not\_found_ in the response body:

**HTTP request:**

    POST /navigate/login.php HTTP/1.1
    Host: 192.168.0.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    X-Requested-With: XMLHttpRequest
    Content-Length: 36
    Origin: http://192.168.0.130
    Connection: close
    Referer: http://192.168.0.130/navigate/login.php
    Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; navigate-tinymce-scroll=%7B%7D; NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t
    
    action=forgot-password&value=invalid
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Wed, 10 Jun 2020 16:55:33 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    Set-Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html; charset=utf-8
    Content-Length: 9
    
    not_found
    

Using this one can either use something such as a wordlist to try enumeration which users exist on the system:

User enumeration of the _Forgot password?_ feature.

**Session Information Leakage - CVE-2020-14017**

Navigate CMS stores session information in plaintext files on the server in the webroot. These files are then publicly available to un-authenticated users. As part of the setup, there is an option to copy/install the appropriate _.htaccess_ files used to prevent access to this directory and files. However it appears that this doesn't prevent access with later versions of Apache HTTPD.

Depending how the server has been configured, it could be possible to view the contents of the directory:

Directory list of the directory private/sessions which contains all session files.

Upon navigating to one of the session files (most preferably the most recent), one is able to view details and sensitive information (such as CSRF tokens) which are associated with the session:

Details of session file.

If directory listing has been disabled on the webserver (such as via Apache configuration), an attacker is still able to access these files without authentication, however they would need to bruteforce the session IDs to find existing sessions and thus the existing session files:

Bruteforcing of session files.

**User Password Reset Vulnerability - CVE-2020-14015**

The _Forgot password?_ feature allows a user to reset their password. When a user successfully enters their username or email address in the forgot password feature, an email is sent the user which contains a password reset link. This link contains an _activation code_, which allows the user to then reset the password associated with their account.

When providing an invalid code, the user is presented with the login screen:

Login screen with invalid password activation code.

However a flaw exists when no code is presented, the user is prompted for a new password:

Password reset for now password activation code.

And setting the password results in success:

Password reset successful.

Upon further investigation, the reason is that when a user is created, their account is created without an activation code:

Database after user created.

When no code is supplied in the password reset process flow, the first user without an activation key will be matched and thus have their password reset.

**Stored Cross-Site Scripting - CVE-2020-14018**

While there is HTML encoding on _User_ field in the Users / Edit page, there is not sufficient encoding on the _E-Mail_ field, these leaves it vulnerable to a store XSS vulnerability:

Stored XSS from E-Mail field on the Users / Edit page.

As stated the _User_ field is appropriate HTML encoded, preventing any XSS vulnerability from this field on this page:

HTML encoding of the _User_ field.

However the E-Mail field is does not have sufficient HTML encoding, resulting in a stored XSS vulnerability:

XSS vulnerability in the _E-Mail_ field.

This stored XSS vulnerability is persisted and present from both the _User_ as well as the _E-Mail_ fields when viewing users on the _Users_ page:

Stored XSS from the _User_ field.

Stored XSS from the _E-Mail_ field.

**Reflected Cross-Site Scripting - CVE-2020-14014**

On the landing page once the user authenticates, there is a resource _/nagivate.php_ which can take the query parameter _fid_. The value from this parameter is reflected back on the page, without having appropriate validation or HTML encoding. This makes the page vulnerable to reflected XSS:

Reflected XSS from the vulnerable _fid_ query parameter.

This is since the value is reflected to a link in the top right corner of the page:

Reflected link contain the reflected XSS.

**Resolution**

Fixed as of version v2.9.1 r1487 (2020/06).

**Vendor Notification**

*   10 June 2020 - Initial contact with the vendor, indicating wish to share findings with vendor before disclosing publicly.
*   11 June 2020 - Received response from vendor expressing wish to obtain information about findings.
*   11 June 2020 - Forwarded findings to vendor.
*   17 June 2020 - Vendor shared fixes with myself and asked me to review the fixes.
*   21 June 2020 - Reviewed fixes and confirmed with vendor.
*   22 June 2020 - Vendor confirmed new version and approved public disclosure of findings.

CVE-2020-14014: Navigate CMS

A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.

CVE-2020-8167: HackerOne

Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview. This has been fixed in Bolt 3.7.1

**Impact**

Bolt CMS lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview.

**Patches**

This has been fixed in Bolt 3.7.1

**References**

Related issue: #7853

CVE-2020-4040: CSRF issue on preview pages

D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Information.

DIR-865L :: Rev. Ax :: End of Support / End of Life Product :: Reporting Multiple Vulnerabilities

**Overview**

  
On February 28, 2020, a report from a security researcher at Palo Alto Networks  identified the DIR-865L hardware Ax with 1.20B01 Beta released on August 9, 2018, as potentially having multiple security vulnerabilities.

DIR-865L reached its End of Support (“EOS”) / End of Life (“EOL”) Date on 02/01/2016. As a  general policy, when the product reaches EOS/EOL, it  can no longer be supported, and all firmware development for the product ceases, except in certain unique situations.  In this particular case for DIR-865, D-Link was able to provide a Beta Patch Release after the EOS/EOL Date.  **Please see information and recommendations** below. 

As a part of our standard process, we accept reports from 3rd parties and then confirm the report across the family of products that could be affected by software or hardware design similarities that are or were shipped under the D-Link brand globally.  

**Third-Party Report**

      Gregory Basior:: Palo Alto Networks:: Gasior \_at\_ Palo alto networks \_dot\_ com 

      Davila Loranca:: Palo Alto Networks:: adavilaloran \_at\_ Palo alto networks \_dot\_ com  

      Jun Du:: Palo Alto Networks:: judu \_at\_ Palo alto networks \_dot\_ com   

     CVE-ID::

            CVE-2020-13785  D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.

            CVE-2020-13782  D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection.

            CVE-2020-13784  D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number

            CVE-2020-13783  D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.

            CVE-2020-13786  D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.

            CVE-2020-13787  D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Informatio…  
  

     CWE-IDs::

           1. CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection)             

           2. CWE-352: Cross-Site Request Forgery (CSRF)                        

           3. CWE-326: Inadequate Encryption Strength       

           4. CWE-337: Predictable seed in Pseudo-Random Number Generator      

           5. CWE-312: Cleartext Storage of Sensitive Information                 

           6. CWE-319: Cleartext Transmission of Sensitive Information  

**Exceptional Beta Patch Release**   

Released: v1.20B01Beta01 05-26-2020 :: LINK

D-Link continues to recommend that for the End Of Support (“EOS”) / End of Life (“EOL”) products , a product owner should retire the EOS/EOL product and replace the EOS/EOL product for an actively supported product.

Owners of the DIR-865L who use this product beyond EOS/EOL, at their own risk, should manually update to the latest firmware. This beta release is a result of investigation based on the understanding of the report and is released after a complete investigation of the entire family of products that may be affected. Releasing firmware after EOS/EOL is not a standard operating procedure.

**CWE-ID Fixes Offered In Exceptional Beta Release  
**

2\. CWE-352: Cross-Site Request Forgery (CSRF)   

3\. CWE-326: Inadequate Encryption Strength   

5\. CWE-312: Cleartext Storage of Sensitive Information 

**Recommendation for End of Support Life Products**

From time to time, D-Link will decide that some of its products have reached End of Support ("EOS") / End of Life (“EOL”). D-Link may choose to EOS/EOL a product due to evolution of technology, market demands,  new innovations, product efficiencies based on new technologies, or the product matures over time and should be replaced by functionally superior technology.

**For US Consumer**

If a product has reached End of Support ("EOS") / End of Life ("EOL"), there is normally no further extended support or development for it. Once a product reaches its EOL/EOS date, it is transferred to  https://legacy.us.dlink.com/

Typically for these products, D-Link will be unable to resolve device or firmware issues since all development and customer support has ceased. 

This DIR-856L is an exceptional circumstance in which D-Link is able to provide a Beta Patch Release. However, D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use the DIR-856L against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/ installed, make sure you frequently update the device's unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.

Tag

#csrf