| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication. |
| Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files. |
|
Sensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller's default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages.
This issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.
|
|
The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
| Denial-of-service (DoS) vulnerability exists in FTP service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS) condition may occur. |
| The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive settings of the Android Client application itself. |
| Cross-Site Request Forgery (CSRF) vulnerability in Laposta - Roel Bousardt Laposta Signup Basic plugin <= 1.4.1 versions. |
| Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Avirtum iFolders plugin <= 1.5.0 versions. |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Christoph Rado Cookie Notice & Consent plugin <= 1.6.0 versions. |
| A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username. |
| Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted. |
| Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability. |
| Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to clear the SQS queue. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue. |
| A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. |
| Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents. |
| Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules. |
| Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. |
