Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Ceph Storage 6.1 Container security and bug fix update  
Advisory ID:       RHSA-2023:3642-01  
Product:           Red Hat Ceph Storage  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3642  
Issue date:        2023-06-15  
CVE Names:         CVE-2021-42581 CVE-2022-1650 CVE-2022-1705  
                   CVE-2022-2880 CVE-2022-21680 CVE-2022-21681  
                   CVE-2022-24675 CVE-2022-24785 CVE-2022-26148  
                   CVE-2022-27664 CVE-2022-28131 CVE-2022-28327  
                   CVE-2022-29526 CVE-2022-30629 CVE-2022-30630  
                   CVE-2022-30631 CVE-2022-30632 CVE-2022-30633  
                   CVE-2022-30635 CVE-2022-31097 CVE-2022-31107  
                   CVE-2022-31123 CVE-2022-31130 CVE-2022-32148  
                   CVE-2022-32189 CVE-2022-32190 CVE-2022-35957  
                   CVE-2022-39201 CVE-2022-39229 CVE-2022-39306  
                   CVE-2022-39307 CVE-2022-39324 CVE-2022-41715  
                   CVE-2022-41912  
====================================================================  
1. Summary:

A new container image for Red Hat Ceph Storage 6.1 is now available in the  
Red Hat Ecosystem Catalog.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Ceph Storage is a scalable, open, software-defined storage platform  
that combines the most stable version of the Ceph storage system with a  
Ceph management platform, deployment utilities, and support services.

This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat  
Enterprise Linux 9.

Security Fix(es):

* crewjam/saml: Authentication bypass when processing SAML responses  
containing multiple Assertion elements (CVE-2022-41912)

* eventsource: Exposure of Sensitive Information (CVE-2022-1650)

* grafana: stored XSS vulnerability (CVE-2022-31097)

* grafana: OAuth account takeover (CVE-2022-31107)

* ramda: prototype poisoning (CVE-2021-42581)

* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)

* golang: net/http/httputil: ReverseProxy should not forward unparseable  
query parameters (CVE-2022-2880)

* marked: regular expression block.def may lead Denial of Service  
(CVE-2022-21680)

* marked: regular expression inline.reflinkSearch may lead Denial of  
Service (CVE-2022-21681)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* Moment.js: Path traversal  in moment.locale (CVE-2022-24785)

* grafana: An information leak issue was discovered in Grafana through  
7.3.4, when integrated with Zabbix (CVE-2022-26148)

* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)

* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)

* golang: syscall: faccessat checks wrong group (CVE-2022-29526)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* grafana: plugin signature bypass (CVE-2022-31123)

* grafana: data source and plugin proxy endpoints leaking authentication  
tokens to some destination plugins (CVE-2022-31130)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For not working (CVE-2022-32148)

* golang: net/url: JoinPath does not strip relative path components in all  
circumstances (CVE-2022-32190)

* grafana: Escalation from admin to server admin when auth proxy is used  
(CVE-2022-35957)

* grafana: Data source and plugin proxy endpoints could leak the  
authentication cookie to some destination plugins (CVE-2022-39201)

* grafana: using email as a username can block other users from signing in  
(CVE-2022-39229)

* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)

* grafana: User enumeration via forget password (CVE-2022-39307)

* grafana: Spoofing of the originalUrl parameter of snapshots  
(CVE-2022-39324)

* golang: regexp/syntax: limit memory used by parsing regexps  
(CVE-2022-41715)

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

* golang: math/big: decoding big.Float and big.Rat types can panic if the  
encoded message is too short, potentially allowing a denial of service  
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Space precludes documenting all of these changes in this advisory. Users  
are directed to the Red Hat Ceph Storage Release Notes for information on  
the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index

All users of Red Hat Ceph Storage are advised to pull these new images from  
the Red Hat Ecosystem catalog, which provides numerous enhancements and bug  
fixes.

3. Solution:

For details on how to apply this update, see Upgrade a Red Hat Ceph Storage  
cluster using cephadm in the Red Hat Storage Ceph Upgrade  
Guide.(https://access.redhat.com/documentation/en-us/red_hat_ceph_storage)

4. Bugs fixed (https://bugzilla.redhat.com/):

2066563 - CVE-2022-26148 grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix  
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2082705 - CVE-2022-21680 marked: regular expression block.def may lead Denial of Service  
2082706 - CVE-2022-21681 marked: regular expression inline.reflinkSearch may lead Denial of Service  
2083778 - CVE-2021-42581 ramda: prototype poisoning  
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group  
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2104365 - CVE-2022-31097 grafana: stored XSS vulnerability  
2104367 - CVE-2022-31107 grafana: OAuth account takeover  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal  
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service  
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2125514 - CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used  
2131146 - CVE-2022-31130 grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins  
2131147 - CVE-2022-31123 grafana: plugin signature bypass  
2131148 - CVE-2022-39201 grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins  
2131149 - CVE-2022-39229 grafana: using email as a username can block other users from signing in  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2138014 - CVE-2022-39306 grafana: email addresses and usernames cannot be trusted  
2138015 - CVE-2022-39307 grafana: User enumeration via forget password  
2148252 - CVE-2022-39324 grafana: Spoofing of the originalUrl parameter of snapshots  
2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements  
2168965 - [cee/sd][rook-ceph]cephfs-top utility is not available under rook-ceph-oprator/tools pod  
2174461 - add dbus-daemon binary - required for NFS in ODF 4.13  
2174462 - add ceph-exporter pkg to RHCS 6.1 image  
2186142 - [RHCS 6.1] [Deployment] Cephadm bootstrap failing with default image.

5. References:

https://access.redhat.com/security/cve/CVE-2021-42581  
https://access.redhat.com/security/cve/CVE-2022-1650  
https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-21680  
https://access.redhat.com/security/cve/CVE-2022-21681  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-24785  
https://access.redhat.com/security/cve/CVE-2022-26148  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-29526  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-31097  
https://access.redhat.com/security/cve/CVE-2022-31107  
https://access.redhat.com/security/cve/CVE-2022-31123  
https://access.redhat.com/security/cve/CVE-2022-31130  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/cve/CVE-2022-32190  
https://access.redhat.com/security/cve/CVE-2022-35957  
https://access.redhat.com/security/cve/CVE-2022-39201  
https://access.redhat.com/security/cve/CVE-2022-39229  
https://access.redhat.com/security/cve/CVE-2022-39306  
https://access.redhat.com/security/cve/CVE-2022-39307  
https://access.redhat.com/security/cve/CVE-2022-39324  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-41912  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZItdBNzjgjWX9erEAQiyZRAAmhxyXh2kCdMDgFSpVxuovk1ZU2IgC+f9  
pl9fvoynyr8YD0AqysHrvrEt+l5djJ4BPwslreRYB/b46WAy34/80Tm2C9jmAeMV  
BuEYd6iAzjIQB+DgN3CPsuhXs5FIFAfntzJ0/z4RyA9dDwDDGjwsKyc79aCMOStf  
FQZLZ4Muz9i9zUDNDHcwBhDo2CsYxEU80i6ANA65aGqmZ/31XhU7mWU0r/k6vTH6  
gwOpRfKp+UqSLUfmpuQ7jlMpJC5UGyIgenksBs/b+e2CQCgVaBnGj466XlfnUllr  
O6L5yb/xAdSgcrgg07Df8dutunO1lbMRavAgF1P2lQeZ1QVdS0NnB4fUG0C2c0NC  
1cgqb20358d21rJkskb+DXtu8cV2hWrGUBZonAO2dy1wI1BjSqEDAeeMH89E/q3j  
gjg/zvmuoc22++ZmyNjgvLc5iAcBxhNw8TibkIBW3HYHqXAiVJ2hkO7So6QYpRpv  
PbxKcdTGBHw08vvS2zuEEqwYVOe0c5eMxIyQuZoC6KY8ACVXK/75kRj/WPaG4QEs  
KbhJhfmN6uFq2DmRlTGaUbWQSQoXnu7VDVanluvWCklKtc/aNL7/mnsy73l/l/I3  
lZCM8EOH09za1ehL6xpjcTntBQHjba1gnmO8nmg0ZwxEYbvsmF8ruAOHqroQiZbo  
Bj8F2NJYnjY=lgpj  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3642-01

Red Hat Security Advisory 2023-3623-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. These new packages include numerous enhancements and bug fixes. Issues addressed include cross site scripting and denial of service vulnerabilities.

Red Hat Security Advisory 2023-3623-01

Red Hat Security Advisory 2023-3610-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, memory exhaustion, and resource exhaustion vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: jenkins and jenkins-2-plugins security update  
Advisory ID:       RHSA-2023:3610-01  
Product:           OpenShift Developer Tools and Services  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3610  
Issue date:        2023-06-15  
CVE Names:         CVE-2021-46877 CVE-2022-29599 CVE-2022-30953  
                   CVE-2022-30954 CVE-2022-40149 CVE-2022-40150  
                   CVE-2022-41723 CVE-2022-45693 CVE-2023-1370  
                   CVE-2023-20860 CVE-2023-20861 CVE-2023-24422  
                   CVE-2023-32977 CVE-2023-32981  
====================================================================  
1. Summary:

An update for jenkins and jenkins-2-plugins is now available for OpenShift  
Developer Tools and Services for OCP 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of  
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* maven-shared-utils: Command injection via Commandline class  
(CVE-2022-29599)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart  
(Resource Exhaustion) (CVE-2023-1370)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern  
(CVE-2023-20860)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script  
Security Plugin (CVE-2023-24422)

* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job  
Plugin (CVE-2023-32977)

* jackson-databind: Possible DoS if using JDK serialization to serialize  
JsonNode (CVE-2021-46877)

* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

* Jenkins plugin: missing permission checks in Blue Ocean Plugin  
(CVE-2022-30954)

* jettison: parser crash by stackoverflow (CVE-2022-40149)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK  
decoding (CVE-2022-41723)

* jettison:  If the value in map is the map's self, the new new  
JSONObject(map) cause StackOverflowError which may lead to dos  
(CVE-2022-45693)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write  
vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)

* jettison: memory exhaustion via user-supplied XML or JSON data  
(CVE-2022-40150)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2066479 - CVE-2022-29599 maven-shared-utils: Command injection via Commandline class  
2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin  
2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin  
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data  
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow  
2155970 - CVE-2022-45693 jettison:  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos  
2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin  
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding  
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern  
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability  
2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode  
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)  
2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin  
2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin

6. Package List:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8:

Source:  
jenkins-2-plugins-4.12.1686649756-1.el8.src.rpm  
jenkins-2.401.1.1686649641-3.el8.src.rpm

noarch:  
jenkins-2-plugins-4.12.1686649756-1.el8.noarch.rpm  
jenkins-2.401.1.1686649641-3.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-46877  
https://access.redhat.com/security/cve/CVE-2022-29599  
https://access.redhat.com/security/cve/CVE-2022-30953  
https://access.redhat.com/security/cve/CVE-2022-30954  
https://access.redhat.com/security/cve/CVE-2022-40149  
https://access.redhat.com/security/cve/CVE-2022-40150  
https://access.redhat.com/security/cve/CVE-2022-41723  
https://access.redhat.com/security/cve/CVE-2022-45693  
https://access.redhat.com/security/cve/CVE-2023-1370  
https://access.redhat.com/security/cve/CVE-2023-20860  
https://access.redhat.com/security/cve/CVE-2023-20861  
https://access.redhat.com/security/cve/CVE-2023-24422  
https://access.redhat.com/security/cve/CVE-2023-32977  
https://access.redhat.com/security/cve/CVE-2023-32981  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZIpfuNzjgjWX9erEAQgVTQ//RoKN2zjvmL/IsBBSk3Uxfv/mrixVhb1v  
kCZY6rPODxDExQ65zcu1cjvM6jTICDmqIBkZCLlVMrQC/zNTM9QnwGeF/tstuUEO  
Rz1jTC0N/8pPBHHQ6ngA/P4YX+X7nSwxDmE8oB9wPRBqMGdzNTQtyrELZ5tfUei/  
pc1r71HcdJUih416Wj4qm5T7zyTvEdgyXUFHoOpkUHOOPx93b5l+iI8ZfSEnfmFW  
+3zck15+ffNZPnWLMkVXcwpq356e0jJUriZdpgDtS6pqfiLP/VxAZ3A7aPEtyJ2g  
SGolsN44ie/JbTLWNNe7xNTlgz8yBttn6TxekspUqxeoZxBPbFuzRJCmolp8VXJl  
jSwSiSL2uJ2HujNQLORfMndDgKy0cC/npnhHSOI8aXHtFdo69Qhlc0zAiY4951hS  
6zwKeTQoY0Q6JgmaDqkgDM5bvR1L5T3KuLYEDmEuJz3hhS9j/1BBXJsgP2bLgG7q  
9gYhxr8rpmGno9za+zqUqSP4qkfFgFmTaGz2frf8udaHo2GcSq8xkw/vi5N/QfwL  
MwAGzFX09P+YzMBFspBA1BxOYKdc0fnCUni18AzwnBXweAoi/hEsUpX/OUuV2xJj  
7qwXyzxFXu5XNOOYAkn2S85OCACAI+EqPuv4QeQmJaQVXm2bHiDZyehcOveSR0Fp  
2N2NeKUt0Tg=j0+7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3610-01

The Teamlead Reminder plugin through 2.6.5 for Jira allows persistent XSS via the message parameter.

Overview

Reviews

Pricing

Support

Versions

Installation

**Be sure everything is organized and accounted for. Resource management will be simplified**

**Focus on the necessary things at the right time**

It's easy to lose sight of essential tasks and responsibilities. However, this is unlikely to happen with Reminder. Create reminders for yourself and others to stay focused and organized.

**Get reminded of crucial tasks at the right time**

Whether it's a conversation with a client or a presentation for work, be assured you'll never miss an important meeting again. Just set a task reminder and it will come via email. Don't miss a single detail.

**Easily manage your team**

The important deadlines will never be forgotten by your employees again. When everyone knows what they need to do and when, teamwork runs smoothly.

**More details**

Reminder for Jira add-on built by Teamlead, Atlassian Gold Marketplace Partner.

👉 Get a free demo

Key highlights:

*   Create the email-reminders on any issue for yourself and your colleagues (if you are granted the relevant rights). You can create personal or group reminders.
*   Manage the reminders you created and the reminders created for you in the convenient section, use a special gadget to browse your upcoming reminders on a dashboard.
*   As a Jira Administrator, manage all reminders in one place.
*   If you need to do something repeatedly just set the periodicity while creating a reminder.
*   Create reminders for parent-child issues in one place: you can set reminders for all subtasks from their parent issue and vice versa. The list of reminders inside the issue helps you not to miss a single one.

Compatible with Next-gen projects.

Compatible with Calendar for Jira!

Try our other apps: HelpDesk, CRM, Epic Timesheets.

**Privacy and security**

**Privacy policy**

Atlassian's privacy policy is not applicable to the use of this app. Please refer to the privacy policy provided by this app's partner.

Partner privacy policy

**Security**

This app is part of the Marketplace Bug Bounty Program. Learn more

This partner has completed the Security Self-Assessment Program. The program will be deprecated in August 2023 and replaced with the Privacy & Security tab. Learn more

We've introduced a new Privacy and Security tab that will provide detailed information on privacy, security, data handling, and compliance practices followed by this app.

**Resources**

*   Descriptor
*   Version history
*   Documentation
*   EULA

**Integration Details**

Reminder for Jira - Follow Up Issues integrates with your Atlassian product. This remote service can:

*   Administer the host application
*   Administer Jira projects
*   Delete data from the host application
*   Write data to the host application

**Gallery**

Browse your reminders within the Calendar for Jira app by Teamlead.

CVE-2023-30453: Reminder for Jira - Follow Up Issues | Atlassian Marketplace

The ke_search (aka Faceted Search) extension before 4.0.3, 4.1.x through 4.6.x before 4.6.6, and 5.x before 5.0.2 for TYPO3 allows XSS via indexed data.

**ke\_search (aka Faceted Search) vulnerable to Cross-Site Scripting**

Moderate severity GitHub Reviewed Published Jun 16, 2023 to the GitHub Advisory Database • Updated Jun 16, 2023

GHSA-f4m6-x2xj-jc7w: ke_search (aka Faceted Search) vulnerable to Cross-Site Scripting

Tue. 13th June, 2023

It has been discovered that the extension "Faceted Search" (ke\_search) is susceptible to Cross-Site Scripting.

*   Release Date: June 13, 2023
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "Faceted Search" (ke\_search)
*   Composer Package Name: tpwd/ke\_search
*   Vulnerability Type: Cross-Site Scripting
*   Affected Versions: 4.0.2 and below, 4.1.0 - 4.6.5,  5.0.0 - 5.0.1
*   Severity: Medium
*   Suggested CVSS: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
*   References: not assigned yet, CWE-79

**Problem Description**

The extension fails to properly encode user input in indexed data for output in HTML context.

**Solution**

An updated versions 4.0.3, 4.6.6 and 5.0.2 are available from the TYPO3 extension manager, packagist and at   
https://extensions.typo3.org/extension/download/ke\_search/4.0.3/zip  
https://extensions.typo3.org/extension/download/ke\_search/4.6.6/zip  
https://extensions.typo3.org/extension/download/ke\_search/5.0.2/zip  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to Security Team Member Torben Hansen for reporting the vulnerability and to Christian Bülter for providing updated versions of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2023-35783: Cross-Site Scripting in extension "Faceted Search" (ke_search)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in nicolly WP No External Links plugin <= 1.0.2 versions.

**Solution**

No fix 

No patched version is available. Reported to the WordPress plugins team (on Feb 10, 2023).

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP No External Links Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-26537: WordPress WP No External Links plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPIndeed Debug Assistant plugin <= 1.4 versions.

**Solution**

Fixed 

Update the WordPress Debug Assistant plugin to the latest available version (at least 1.5).

Prasanna V Balaji discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Debug Assistant Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.5.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-26527: WordPress Debug Assistant plugin <= 1.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in psicosi448 wp2syslog plugin <= 1.0.5 versions.

**Solution**

No fix 

No patched version is available. Reported to the WordPress plugins team (on Feb 21, 2023).

Prasanna V Balaji discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress wp2syslog Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-25974: WordPress wp2syslog plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Cross-site Scripting (XSS) - DOM in GitHub repository saleor/react-storefront prior to c29aab226f07ca980cc19787dcef101e11b83ef7.

Expand Up @@ -40,8 +40,6 @@ function LoginPage() { } \= useForm<LoginFormData\>({ defaultValues });  
const routerQueryNext \= router.query.next?.toString() || ""; const isExternalUrl \= /^\\w+:\\/\\//.test(routerQueryNext); const redirectURL \= !routerQueryNext || isExternalUrl ? paths.$url() : routerQueryNext;  
const handleLogin \= handleSubmitForm(async (formData: LoginFormData) \=> { const { data } \= await signIn({ Expand All @@ -54,6 +52,9 @@ function LoginPage() { return; }  
const redirectURL \= (routerQueryNext && new URL(routerQueryNext, window.location.toString()).pathname) || paths.$url(); void router.push(redirectURL); });  
Expand Down

Tag

#xss