Said Abdesslem Messadi

**Name of the Vulnerable Software and Affected Versions** Jenkins Azure CLI Plugin versions 0.9 and earlier **Description** The Jenkins Azure CLI Plugin does not restrict the commands it executes on the Jenkins controller. This allows attackers with Item/Configure permission to execute arbitrary shell commands. The issue arises from a lack of command validation, enabling malicious actors to run commands on the Jenkins master node. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier **Description:** The Jenkins Applitools Eyes Plugin does not properly escape the Applitools URL displayed on the build page, leading to a stored cross-site scripting (XSS) issue. An attacker with Item/Configure permission can exploit this to inject malicious scripts. **Recommendations:** Update to a newer version of the Jenkins Applitools Eyes Plugin that addresses this issue.

**Name of the Vulnerable Software and Affected Versions:** Jenkins QMetry Test Management Plugin versions 1.13 and earlier **Description:** The Jenkins QMetry Test Management Plugin does not properly protect Qmetry Automation API Keys. These keys are stored unencrypted in job `config.xml` files on the Jenkins controller and are visible to users with Item/Extended Read permission or file system access. The job configuration form also displays these API keys without masking, potentially allowing attackers to observe and capture them. **Recommendations:** Versions prior to 1.13: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier **Description:** The Jenkins Applitools Eyes Plugin stores Applitools API keys unencrypted in `job config.xml` files on the Jenkins controller. Users with Item/Extended Read permission or access to the Jenkins controller file system can view these keys. **Recommendations:** For versions prior to 1.16.5, ensure that access to `job config.xml` files is restricted to authorized personnel only.

**Name of the Vulnerable Software and Affected Versions:** Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier **Description:** The Jenkins Applitools Eyes Plugin does not mask Applitools API keys displayed on the job configuration form. This increases the potential for attackers to observe and capture these keys. **Recommendations:** Update to a newer version of the Jenkins Applitools Eyes Plugin.

Name of the Vulnerable Software and Affected Versions: Jenkins User1st uTester Plugin versions 1.1 and earlier Description: The Jenkins User1st uTester Plugin stores the uTester JWT (JSON Web Token) token unencrypted in its global configuration file on the Jenkins controller. This allows users with access to the Jenkins controller file system to view the token. Recommendations: Update Jenkins User1st uTester Plugin to a version later than 1.1.

**Name of the Vulnerable Software and Affected Versions** Jenkins Zoho QEngine Plugin versions 1.0.29.vfa cc23396502 and earlier **Description** The issue concerns the Jenkins Zoho QEngine Plugin, where the QEngine API Key form field is not masked, potentially allowing attackers to observe and capture it. **Recommendations** For Jenkins Zoho QEngine Plugin versions 1.0.29.vfa cc23396502 and earlier, consider masking the `QEngine API Key` form field to prevent potential attackers from observing and capturing it. At the moment, there is no information about a newer version that contains a fix for this vulnerability.