A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.

In Apache Airflow, the `origin` parameter passed to endpoints like `/trigger` is vulnerable to XSS.

A flaw was found in the Ansible Engine when using `module_args`. Tasks executed with check mode (`--check-mode`) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.

A buffer overflow exists in the Brotli library where an attacker controlling the input length of a `one-shot` decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.

Jenkins Blue Ocean Plugin provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.

An issue was discovered in `LemonLDAP::NG` when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI.

Jenkins Health Advisor by CloudBees Plugin does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.

A missing permission check in Jenkins ElasTest Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

When using the `StreamGenerator`, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

A cross-site request forgery (CSRF) vulnerability in Jenkins ElasTest allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

Jenkins Selection tasks Plugin 1.0 executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.

Jenkins Storable Configs Plugin allows users with Job/Read permission to read arbitrary files on the Jenkins controller.

Jenkins Storable Configs Plugin does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job `config.xml` file's content.

A missing permission check in Jenkins Blue Ocean Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Jenkins Locked Files Report Plugin does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Jenkins Copy data to workspace Plugin does not limit which directories can be copied from the Jenkins controller to job workspaces, allowing attackers with Job/Configure permission to read arbitrary files on the Jenkins controller.

Jenkins Coverage/Complexity Scatter Plot Plugin does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

A missing permission check in Jenkins Perfecto Plugin allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.

Jenkins ElasTest Plugin stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

A missing permission check in Jenkins MongoDB Plugin allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.

Jenkins Perfecto Plugin executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller

When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.

node-fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1057, CVE-2020-1172.

A spoofing vulnerability manifests in Microsoft `Xamarin.Forms` due to the default settings on Android WebView , aka 'Xamarin.Forms Spoofing Vulnerability'.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1057, CVE-2020-1180.

ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.

Jenkins ClearCase Release Plugin does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to `RMIConnectorServer`, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

Jenkins computer-queue-plugin Plugin does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Jenkins Description Column Plugin does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Jenkins Validating String Parameter Plugin does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite.

Jenkins chosen-views-tabbar Plugin does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.

Jenkins Custom Job Icon Plugin does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

The package bestzip is vulnerable to Command Injection via the options `param`.

In Action View there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in `_html`, the default string is incorrectly marked as HTML-safe and not escaped.

Jenkins Radiator View Plugin does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1172, CVE-2020-1180.

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

A Lucky timing side channel in `mbedtls_ssl_decrypt_buf` in `library/ssl_msg.c` in Trusted Firmware Mbed TLS allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.

GNOME project libxml2 has a global Buffer Overflow vulnerability in `xmlEncodeEntitiesInternal` at `libxml2/entities.c`. The issue has been fixed in commit `8e7c20a1` (20910-GITv2.9.10-103-g8e7c20a1).

xxl-job allows Information Disclosure of username, model, and password via `job/admin/controller/UserController.java.`

The package grunt is vulnerable to Arbitrary Code Execution due to the default usage of the function `load()` instead of its secure replacement `safeLoad()` of the package js-yaml inside `grunt.file.readYAML`.

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

In Symfony before versions 4\.

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

GNOME project libxml2 has a global Buffer Overflow vulnerability in `xmlEncodeEntitiesInternal` at `libxml2/entities.c`. The issue has been fixed in commit `8e7c20a1` (20910-GITv2.9.10-103-g8e7c20a1).

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

An issue was discovered in Django (when Python + is used). `FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the `collectstatic` management command.

An issue was discovered in Django (when Python + is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than `0o077`.

Apache ActiveMQ uses `LocateRegistry.createRegistry()` to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ

The Advanced Reports module for SilverStripe is vulnerable to Cross-Site Scripting (XSS) because it is possible to inject and store malicious JavaScript code. This affects `admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item` (report preview) when an SVG document is provided in the `Description` parameter.

Apache ActiveMQ uses `LocateRegistry.createRegistry()` to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ

apollo-adminservice does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it does not have access control built-in. Malicious hackers may access apollo-adminservice apis directly to `access/edit` the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

Dolibarr allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because `.pht` and `.phar` files can be uploaded. Also, an `.htaccess` file can be uploaded to reconfigure access control (e.g., to let `.noexe` files be executed as PHP code to defeat the `.noexe` protection mechanism).

Apache ActiveMQ uses `LocateRegistry.createRegistry()` to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ

apollo-adminservice does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it does not have access control built-in. Malicious hackers may access apollo-adminservice apis directly to `access/edit` the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

Apache ActiveMQ uses `LocateRegistry.createRegistry()` to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ