A cross-site request forgery (CSRF) vulnerability in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers to connect to an attacker-specified URL.

CVE-2022-34209: Jenkins Security Advisory 2022-06-22

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

CVE-2022-34180: Jenkins Security Advisory 2022-06-22

Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability.

CVE-2022-34178: Jenkins Security Advisory 2022-06-22

Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34183: Jenkins Security Advisory 2022-06-22

A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL.

CVE-2022-34207: Jenkins Security Advisory 2022-06-22

A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

CVE-2022-34204: Jenkins Security Advisory 2022-06-22

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system.

CVE-2022-34179: Jenkins Security Advisory 2022-06-22

Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list.

**Vulnerability Analysis**

The vulnerability appears in lines 23-28 of the **com.jflyfox.system.dict.DictController.java**

The **attrVal** parameter is the **attr.dict\_type** parameter passed from the front end  
So you can construct payload to exploit this vulnerability

**Exploit**

Maven Startup Environment  
Vulnerability address: /jfinal\_cms/system/dict/list  
Administrator login is required. The default account password is admin:admin123

Injection parameters: **attr.dict\_type**

payload：' OR (SELECT 2896 FROM(SELECT COUNT(*),CONCAT(0x717a7a6271efbd9e,(SELECT (ELT(2896=2896,user()))),0xefbd9e7162707a7131,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--+

Sqlmap:

CVE-2022-33114: SQL injection vulnerability exists in JFinal CMS 5.1.0 · Issue #38 · jflyfox/jfinal_cms

Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.

**Package**

maven org.apache.sling:org.apache.sling.api (Maven)

**Affected versions**

<= 2.25.0

maven org.apache.sling:org.apache.sling.commons.log (Maven)

GHSA-qmx3-m648-hr74: Log Injection in Apache Sling Commons Log and Apache Sling API

JForum v2.8.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via http://target_host:port/jforum-2.8.0/jforum.page, which allows attackers to arbitrarily add admin accounts.

**New and changed features in JForum 2.8.1**

Information about upgrading from JForum version 2.8.0 to 2.8.1 can be found at Upgrading to JForum 2.8.1

**New Features and fixes**

*   fixed CSRF vulnerability
*   more control over image attachments from _Configurations_ page
*   various font and background colors can be configured from the _Configurations_ page
*   optimize _Recent Topics_ and _Hot Topics_ for large installations
*   fixed issue where the _last visited time_ on the forum home page was not actually reflecting that, but the time of the last session start
*   switch Google Analytics integration from analytics.js to gtag.js

**Libraries**

*   updated Apache Lucene from 8.10.1 to 8.11.1
*   updated Apache PDFBox from 2.0.24 to 2.0.26
*   updated EventBus from 3.2.0 to 3.3.1
*   updated JDOM2 from 2.0.6 to 2.0.6.1
*   updated JSoup from 1.14.3 to 1.15.1
*   updated Microsoft SQLServer driver from 9.4.0 to 10.2.1
*   updated MySQL driver from 8.0.27 to 8.0.29
*   updated Oracle driver from 21.3.0.0 to 21.5.0.0
*   updated PrettyTime from 5.0.2 to 5.0.3
*   updated PostgreSQL driver from 42.3.1 to 42.3.6
*   updated slf4j from 1.7.32 to 1.7.36
*   added YAUAA 7.1.0 (instead of pieroxy) for user agent detection
*   updated several Maven plugins

**New Configurations**

Entry name

Default value

Description

attachments.images.thumb.hover.show

false

Whether to show the full-sized image as a popup when hovering over an image thumbnail. This causes all images to be downloaded in full size - which may not be wanted.

color.orange

#ffa34f

Orange font color

color.darkblue

#01336b

Dark blue font color

color.lightgray

#dee3e7

Light gray background color

color.verylight

#fafafa

Very light background color

color.quitelight

#f7f7f7

Quite light background color

**Database Schema**

These indexes speed up operations on large JForum installation, but are optional.

CREATE INDEX idx\_topics\_views ON jforum\_topics(topic\_views);  
CREATE INDEX idx\_topics\_replies ON jforum\_topics(topic\_replies);

Tag

#maven