Quentin Parra

**Name of the Vulnerable Software and Affected Versions** Jenkins EasyQA Plugin version 1.0 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to connect to an attacker-specified HTTP server. **Recommendations** For Jenkins EasyQA Plugin version 1.0 and earlier, update to a version later than 1.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins EasyQA Plugin versions 1.0 and earlier **Description** A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. The form validation method is also vulnerable to cross-site request forgery (CSRF) as it does not require POST requests. **Recommendations** For Jenkins EasyQA Plugin versions 1.0 and earlier: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the plugin's form validation method to minimize the risk of exploitation. Additionally, restrict the `Overall/Read` permission to prevent attackers from connecting to an attacker-specified HTTP server.

**Name of the Vulnerable Software and Affected Versions** Jenkins incapptic connect uploader Plugin versions 1.15 and earlier **Description** The issue allows tokens to be stored unencrypted in job config.xml files on the Jenkins controller. These tokens can be viewed by users with Extended Read permission or those who have access to the Jenkins controller file system. **Recommendations** For Jenkins incapptic connect uploader Plugin versions 1.15 and earlier, update to a version later than 1.15 to resolve the issue.