Dell SupportAssist Client versions prior to 3.2.0.90 contain an improper origin validation vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems.

CVE-2019-3718

A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections. If not otherwise prevented, a separate XSS vulnerability via JavaScript could further allow for the extraction of these tokens.

'CVE-2019-3876?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2019-3876: Invalid Bug ID

Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.

CVE-2019-10655

Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.

CVE-2019-9167: Security Disclosures - Nagios

The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the wp-admin/admin.php PATH_INFO.

*   Vulnerability: XSS
*   Affected Software: wpGoogleMaps (400,000+ active installations)
*   Affected Version: 7.10.41
*   Patched Version: 7.10.43
*   Risk: Medium
*   Vendor Contacted: 10/25/2018
*   Vendor Fix: 10/31/2018
*   Public Disclosure: 02/05/2019

**CVSS**

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**Details**

The wpGoogleMaps WordPress plugin is vulnerable to reflected XSS as it echoes PHP\_SELF without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

**Proof of Concept**

    http://192.168.0.103/wordpress/wp-admin/admin.php/'"><img src=x onerror=alert(1)>?page=wp-google-maps-menu&action=foo
    

**Code**

    wp-google-maps/wpGoogleMaps.php                          
    <input type='hidden' name='http_referer' value='".$_SERVER['PHP_SELF']."' />
    

**Timeline**

*   10/25/2018 Sent advisory
*   10/25/2018 Vendor confirms and releases fix
*   10/25/2018 Suggested improvement for fix
*   10/31/2018 Vendor releases improved fix
*   02/05/2019 Disclosure

CVE-2019-9912: wpGoogleMaps 7.10.41 - Reflected XSS (WordPress Plugin)

The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS.

*   Vulnerability: XSS
*   Affected Software: WP Live Chat Support (60,000+ active installations)
*   Affected Version: 8.0.17
*   Patched Version: 8.0.18
*   Risk: Medium
*   Vendor Contacted: 10/31/2018
*   Vendor Fix: 11/01/2018
*   Public Disclosure: 02/05/2019

**CVSS**

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**Details**

The WP Live Chat Support WordPress plugin is vulnerable to reflected XSS as it echoes the term parameter without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

**Proof of Concept**

    http://192.168.0.103/wordpress/wp-admin/admin.php?page=wplivechat-menu-gdpr-page&term='"><img+src%3Dx+onerror%3Dalert(1)>
    

**Code**

    wp-live-chat-support/modules/gdpr.php:                      <a class='button' href='?page=wplivechat-menu-gdpr-page&term=<?php echo($_GET["term"]); ?>&action=delete&filter=<?php echo $action_action_filter; ?>&id=<?php echo $cid; ?>'><?php echo $delete_button_text; ?></a>
    wp-live-chat-support/modules/gdpr.php:                      <a class='button button-primary' href='?page=wplivechat-menu-gdpr-page&term=<?php echo($_GET["term"]); ?>&action=download&filter=<?php echo $action_action_filter; ?>&id=<?php echo $cid; ?>'><?php echo $download_button_text; ?></a>
    

**Further**

In addition to the reflected XSS issue, there is a self-XSS issue in the client-side input form, which can be triggered by entering '"><img src=x onerror=alert(1)>. Self-XSS may be exploitable via social engineering or Clickjacking.

**Timeline**

*   10/31/2018 Requested email address via contact form
*   10/31/2018 Vendor responds, advisory sent
*   11/01/2018 Vendor releases fix
*   02/05/2019 Confirmed fix & Disclosure

CVE-2019-9913: WP Live Chat Support 8.0.17 - Reflected XSS (WordPress Plugin)

The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS.

*   Vulnerability: XSS
*   Affected Software: Give (50,000+ active installations)
*   Affected Version: 2.3.0
*   Patched Version: 2.3.1
*   Risk: Medium
*   Vendor Contacted: 11/24/2018
*   Vendor Fix: 12/13/2018
*   Public Disclosure: 02/05/2019

**CVSS**

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**Details**

The Give WordPress plugin is vulnerable to reflected XSS as it echoes various parameter without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

**Proof of Concept**

    http://localhost/wordpress/wp-admin/edit.php?post_type=give_forms&page=give-tools&tab=import&importer-type=import_donations&step=3&mapto%5B0%5D=email&mapto%5B1%5D=first_name&mapto%5B2%5D=amount&mapto%5B3%5D=form_id&csv='"><img+src%3dx+onerror%3dalert(1)>
    

**Code**

    public function start_import() {
        [...]
        <input type="hidden" value='<?php echo maybe_serialize( $_REQUEST['mapto'] ); ?>' name="mapto"
       class="mapto">
        <input type="hidden" value="<?php echo $_REQUEST['csv']; ?>" name="csv" class="csv">
        <input type="hidden" value="<?php echo $_REQUEST['mode']; ?>" name="mode" class="mode">
        <input type="hidden" value="<?php echo $_REQUEST['create_user']; ?>" name="create_user"
       class="create_user">
        <input type="hidden" value="<?php echo $_REQUEST['delete_csv']; ?>" name="delete_csv"
       class="delete_csv">
        <input type="hidden" value="<?php echo $delimiter; ?>" name="delimiter">
        <input type="hidden" value="<?php echo absint( $_REQUEST['dry_run'] ); ?>" name="dry_run">
    

**Timeline**

*   11/24/2018 Asked for email address via contact form
*   11/24/2018 Vendor responds, advisory sent
*   12/13/2018 Vendor releases fix
*   02/05/2019 Confirmed fix & Disclosure

CVE-2019-9909: Give 2.3.0 - Reflected XSS (WordPress Plugin)

An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newpass and confpass parameters in /bin/WebMGR are used in a system call in the firmware. Because there is no user input validation, this leads to authenticated code execution on the device.

This website will mainly for manageing advisories which i create on day to day basis and for My CVE Database.

CVE ID

VENDOR

ISSUE

Reference

CVE-2015-1437

ASUS

XSS In Asus Router

https://nvd.nist.gov/vuln/detail/CVE-2015-1437

CVE-2015-1614

WordPress

XSRF(CSRF+XSS)

https://nvd.nist.gov/vuln/detail/CVE-2015-1614

CVE-2015-2755

WordPress

XSS / CSRF

https://nvd.nist.gov/vuln/detail/CVE-2015-2755

CVE-2016-9259

Tenable

Nessus XSS

https://www.tenable.com/security/tns-2016-17

CVE-2016-9261

Tenable

LCE XSS

https://www.tenable.com/security/tns-2016-18

CVE-2016-7103

Tenable

Security Centre XSS

https://www.tenable.com/security/tns-2016-19

CVE-2016-7103

Tenable

PVS XSS

https://www.tenable.com/security/tns-2016-20

CVE-2018-19524

Skyworth

Stack Overflow in Gpon Devices

https://s3curityb3ast.github.io/KSA-Dev-001.md

CVE-2018-19525

Systorme

Account takeover

https://s3curityb3ast.github.io/KSA-Dev-002.md

CVE-2019-7383

Systorme

RCE via shell upload

https://s3curityb3ast.github.io/KSA-Dev-003.md

CVE-2019-7387

Systorme

LFI

https://s3curityb3ast.github.io/KSA-Dev-004.md

CVE-2019-7384

Raisecom

Auth RCE

https://s3curityb3ast.github.io/KSA-Dev-005.md

CVE-2019-7385

Raisecom

Auth RCE

https://s3curityb3ast.github.io/KSA-Dev-006.md

CVE-2019-7386

NOKIA & HDM & KAI

Buffer overflow

https://s3curityb3ast.github.io/KSA-Dev-007.md

CVE-2020-21884

UniBox

XSRF

https://s3curityb3ast.github.io/KSA-Dev-008.txt

CVE-2020-21883

Unibox

Auth RCE

https://s3curityb3ast.github.io/KSA-Dev-009.txt

CVE-2021-3275

TP Link

Unauth-XSRF

https://s3curityb3ast.github.io/KSA-Dev-010.md

CVE-2021-25326

Skyworth

Info\_Disc

https://s3curityb3ast.github.io/KSA-Dev-012.txt

CVE-2021-25327

Skyworth

XSRF

https://s3curityb3ast.github.io/KSA-Dev-011.txt

CVE-2021-25328

Skyworth

Auth-RCE

https://s3curityb3ast.github.io/KSA-Dev-010.txt

CVE-2019-7385: Welcome to Kaustubh security advisories

Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.

CVE-2019-5924: Smart Forms – when you need more than just a contact form

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AppDynamics Dashboard Plugin
*   Azure VM Agents Plugin
*   Bitbar Run-in-Cloud Plugin
*   Email Extension Plugin
*   Groovy Plugin
*   Job DSL Plugin
*   Matrix Project Plugin
*   OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin
*   Pipeline: Groovy Plugin
*   Rabbit-MQ Publisher Plugin
*   Repository Connector Plugin
*   Script Security Plugin

**Descriptions****Sandbox bypass in Script Security Plugin**

**SECURITY-1336 (1) / CVE-2019-1003029**

Script Security sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.

Script Security Plugin is now newly applying sandbox protection during these phases.

This affected both script execution (typically invoked from other plugins) as well as an HTTP endpoint providing script validation and allowed users with Overall/Read permission to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

The API `GroovySandbox#run(Script, Whitelist)` has been deprecated and now emits a warning to the system log about potential security problems. `GroovySandbox#run(GroovyShell, String, Whitelist)` replaces it. `GroovySandbox#checkScriptForCompilationErrors(String, GroovyClassLoader)` has been added as a safer method to implement script validation.

**Sandbox bypass in Pipeline: Groovy Plugin**

**SECURITY-1336 (2) / CVE-2019-1003030**

Pipeline: Groovy sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.

This allowed users able to control the contents of a pipeline to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

Pipeline: Groovy Plugin now uses Script Security APIs that apply sandbox protection during these phases.

**Script security sandbox bypass in Matrix Project Plugin**

**SECURITY-1339 / CVE-2019-1003031**

Matrix Project Plugin supports a sandboxed Groovy expression to filter matrix combinations. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.

This allowed users able to configure a Matrix project to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

Matrix Project Plugin now uses Script Security APIs that apply sandbox protection during these phases.

**Script security sandbox bypass in Email Extension Plugin**

**SECURITY-1340 / CVE-2019-1003032**

Email Extension Plugin supports sandboxed Groovy expressions for multiple features. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.

This allowed users able to control the plugin’s job-specific configuration to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

Email Extension Plugin now uses Script Security APIs that apply sandbox protection during these phases.

**Script security sandbox bypass in Groovy Plugin**

**SECURITY-1338 / CVE-2019-1003033**

Groovy Plugin supports sandboxed Groovy expressions for its "System Groovy" functionality. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.

This affected both System Groovy script execution as well as an HTTP endpoint providing script validation, and allowed users with Overall/Read permission to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

Groovy Plugin now uses Script Security APIs that apply sandbox protection during these phases.

**Script security sandbox bypass in Job DSL Plugin**

**SECURITY-1342 / CVE-2019-1003034**

Job DSL Plugin supports sandboxed Groovy expressions for Job DSL definitions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.

This allowed users able to control the Job DSL scripts to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

Job DSL Plugin now uses Script Security APIs that apply sandbox protection during these phases.

**Information disclosure in Azure VM Agents Plugin**

**SECURITY-1330 / CVE-2019-1003035**

A missing permission check in a form validation method in Azure VM Agents Plugin allowed users with Overall/Read access to verify a submitted configuration, obtaining limited information about the Azure account and configuration.

Additionally, this form validation method did not require POST requests, resulting in a potential CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

**Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration**

**SECURITY-1331 / CVE-2019-1003036**

A missing permission check in an HTTP endpoint allowed users with Overall/Read access to attach a public IP address to an Azure VM in Azure VM Agents Plugin, making a virtual machine publicly accessible.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability with more limited impact, as the IP address would not be known.

This form validation method now requires POST requests and Overall/Administer permissions.

**Unprivileged users with Overall/Read access are able to enumerate credential IDs in Azure VM Agents Plugin**

**SECURITY-1332 / CVE-2019-1003037**

Azure VM Agents Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

**Repository Connector Plugin stored password in plain text**

**SECURITY-958 / CVE-2019-1003038**

Repository Connector Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

**AppDynamics Dashboard Plugin stored password in plain text**

**SECURITY-1087 / CVE-2019-1003039**

AppDynamics Dashboard Plugin stored username and password in its configuration unencrypted in jobs' `config.xml` files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

While masked from view using a password form field, the password was transferred in plain text to users when accessing the job configuration form.

AppDynamics Dashboard Plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

**Rabbit-MQ Publisher Plugin stored password in plain text**

**SECURITY-848**

Rabbit-MQ Publisher Plugin stored the username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

**Missing permission check allowed connecting to RabbitMQ in Rabbit-MQ Publisher Plugin**

**SECURITY-970**

A missing permission check in a form validation method of Rabbit-MQ Publisher Plugin allowed users with Overall/Read access to have Jenkins initiate a RabbitMQ connection to an attacker-specified host and port with an attacker-specified username and password.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

**OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin stored password in plain text**

**SECURITY-1038**

OSF Builder Suite For Salesforce Commerce Cloud : : Deploy Plugin stored the HTTP proxy username and password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now integrates with Credentials Plugin to store the HTTP proxy credentials.

**SSRF and data modification vulnerability due to missing permission check in Bitbar Run-in-Cloud**

**SECURITY-1088**

A missing permission check in a method performing both form validation and saving new configuration in Bitbar Run-in-Cloud Plugin allowed users with Overall/Read permission to have Jenkins connect to an attacker-specified host with attacker-specified credentials, and, if successful, save that as the new configuration for the plugin. This could then potentially result in future builds submitting their data to an unauthorized remote server.

Additionally, this method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

**Severity**

*   SECURITY-848: Low
*   SECURITY-958: Low
*   SECURITY-970: Medium
*   SECURITY-1038: Low
*   SECURITY-1087: Medium
*   SECURITY-1088: Medium
*   SECURITY-1330: Medium
*   SECURITY-1331: Medium
*   SECURITY-1332: Medium
*   SECURITY-1336 (1): High
*   SECURITY-1336 (2): High
*   SECURITY-1338: High
*   SECURITY-1339: High
*   SECURITY-1340: High
*   SECURITY-1342: High

**Affected Versions**

*   **AppDynamics Dashboard Plugin** up to and including 1.0.14
*   **Azure VM Agents Plugin** up to and including 0.8.0
*   **Bitbar Run-in-Cloud Plugin** up to and including 2.69.1
*   **Email Extension Plugin** up to and including 2.64
*   **Groovy Plugin** up to and including 2.1
*   **Job DSL Plugin** up to and including 1.71
*   **Matrix Project Plugin** up to and including 1.13
*   **OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin** up to and including 1.0.10
*   **Pipeline: Groovy Plugin** up to and including 2.63
*   **Rabbit-MQ Publisher Plugin** up to and including 1.0
*   **Repository Connector Plugin** up to and including 1.2.4
*   **Script Security Plugin** up to and including 1.53

**Fix**

*   **AppDynamics Dashboard Plugin** should be updated to version 1.0.15
*   **Azure VM Agents Plugin** should be updated to version 0.8.1
*   **Bitbar Run-in-Cloud Plugin** should be updated to version 2.70.0
*   **Email Extension Plugin** should be updated to version 2.65
*   **Groovy Plugin** should be updated to version 2.2
*   **Job DSL Plugin** should be updated to version 1.72
*   **Matrix Project Plugin** should be updated to version 1.14
*   **OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin** should be updated to version 1.0.11
*   **Pipeline: Groovy Plugin** should be updated to version 2.64
*   **Rabbit-MQ Publisher Plugin** should be updated to version 1.2.0
*   **Repository Connector Plugin** should be updated to version 1.2.5
*   **Script Security Plugin** should be updated to version 1.54

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-970, SECURITY-1332
*   **Georgy Noseevich (@webpentest), SolidLab** for SECURITY-1336 (1), SECURITY-1336 (2)
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1330, SECURITY-1331
*   **Viktor Gazdag** for SECURITY-848, SECURITY-958, SECURITY-1038, SECURITY-1087, SECURITY-1088

Tag

#csrf