#xss

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability.

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

Jenkins Template Workflows Plugin 41.v32d86a_313b_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

Jenkins Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS validation for connections to the Checkmarx server by default.

A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information. The flaw, tracked as CVE-2023-34000, impacts versions 7.4.0 and below. It was addressed by the plugin maintainers in version 7.4.1, which shipped on May 30, 2023. WooCommerce Stripe Gateway allows e-commerce websites to directly accept

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions.

本ブログは、Microsoft mitigates set of cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registryの抄訳版です。最新の情報は原

Summary Summary Microsoft recently mitigated a set of cross-site scripting vulnerabilities affecting Azure Bastion and Azure Container Registry (ACR). Exploitation of these vulnerabilities could have potentially allowed for an unauthorized user to gain access to a target user’s session within the compromised Azure service, and subsequently lead to data tampering or resource modification.

Summary Summary Microsoft recently mitigated a set of cross-site scripting vulnerabilities affecting Azure Bastion and Azure Container Registry (ACR). Exploitation of these vulnerabilities could have potentially allowed for an unauthorized user to gain access to a target user’s session within the compromised Azure service, and subsequently lead to data tampering or resource modification.