CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-28156 |
Description: Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views.
EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-28155 |
Description: Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.
EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-28154 |
Description: Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.
EPSS Score: 0.06%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-28153 |
Description: Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability.
EPSS Score: 0.05%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-28152 |
Description: In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.
EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-28151 |
Description: Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it.
EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-28150 |
Description: Jenkins HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-28147 |
Description: An authenticated user can upload arbitrary files in the upload
function for collection preview images. An attacker may upload an HTML
file that includes malicious JavaScript code which will be executed if a
user visits the direct URL of the collection preview image (Stored
Cross Site Scripting). It is also possible to upload SVG files that
include nested XML entities. Those are parsed when a user visits the
direct URL of the collection preview image, which may be utilized for a
Denial of Service attack.
This issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19.
EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-28130 |
Description: An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS DCMTK 3.6.8. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVSS: HIGH (7.5) EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-28121 |
Description: stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.
CVSS: HIGH (8.8) EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|