Son Nguyen

**Name of the Vulnerable Software and Affected Versions** OPEXUS eCASE Audit versions prior to 11.14.2.0 **Description** OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the “A or SIC Number” field within the Project Setup functionality. This JavaScript is executed when another user views the project. The affected field is used for project setup and allows for the storage of malicious code. The `A or SIC Number` field is the entry point for this issue. **Recommendations** Upgrade to OPEXUS eCASE Audit version 11.14.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eCASE versions prior to 11.14.1.0 **Description** OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. This JavaScript is executed when another user views the Action History Log. The issue is a stored cross-site scripting (XSS) condition. The vulnerable functionality is related to the Document Check Out feature and the ability to add comments. **Recommendations** Update OPEXUS eCASE to version 11.14.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eCASE Audit versions prior to 11.14.1.0 **Description** An authenticated attacker can modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. The issue involves incorrect access control. **Recommendations** Update to eCASE Platform version 11.14.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** OPEXUS eCASE Audit versions prior to 11.14.2.0 **Description** OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the `Estimated Staff Hours` field. This JavaScript is then executed when another user accesses the Project Cost tab. This is a stored cross-site scripting issue. **Recommendations** Update OPEXUS eCASE Audit to version 11.14.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADManager Plus versions prior to 7203 **Description** The issue is related to inadequate access control in the Zoho ManageEngine ADManager Plus software, which can be exploited by a remote attacker to gain unauthorized access to protected information. Specifically, it allows Help Desk Technician users to read arbitrary files on the machine where the product is installed, and admin users can download any file from the server machine via directory traversal. **Recommendations** For versions prior to 7203, update to version 7203 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories on the server machine to minimize the risk of exploitation. Additionally, limit the privileges of Help Desk Technician users to prevent them from reading arbitrary files.

**Name of the Vulnerable Software and Affected Versions** Jenkins CollabNet Plugins Plugin versions 2.0.8 and earlier **Description** The issue concerns the storage of a RabbitMQ password in an unencrypted form within the global configuration file on the Jenkins controller. This allows users with access to the Jenkins controller file system to view the password. **Recommendations** For Jenkins CollabNet Plugins Plugin versions 2.0.8 and earlier, update to a version later than 2.0.8 to resolve the issue. As a temporary workaround, consider restricting access to the Jenkins controller file system to minimize the risk of password exposure.

**Name of the Vulnerable Software and Affected Versions** Jenkins Request Rename Or Delete Plugin versions 1.1.0 and earlier **Description** The issue arises from an incorrect permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page that lists pending requests. **Recommendations** For Jenkins Request Rename Or Delete Plugin versions 1.1.0 and earlier, consider restricting access to the administrative configuration page until a patch is available. As a temporary workaround, review and limit the Overall/Read permissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins RQM Plugin versions 2.8 and earlier **Description** The issue concerns the storage of a password in an unencrypted form within the global configuration file on the Jenkins controller. Specifically, the password is stored in the `net.praqma.jenkins.rqm.RqmBuilder.xml` file. This unencrypted password can be accessed by users who have permission to view the Jenkins controller file system. **Recommendations** For Jenkins RQM Plugin versions 2.8 and earlier, consider updating to a version that properly encrypts passwords in the global configuration file to prevent unauthorized access. As a temporary workaround, restrict access to the Jenkins controller file system to minimize the risk of the unencrypted password being viewed by unauthorized users.

**Name of the Vulnerable Software and Affected Versions** Jenkins OpsGenie Plugin versions 1.9 and earlier **Description** The issue concerns the storage of API keys in an unencrypted manner within the global configuration file and job config.xml files on the Jenkins controller. These keys can be accessed by users with Extended Read permission for job config.xml files or by those with access to the Jenkins controller file system. The API keys are also transmitted in plain text as part of configuration forms. This could potentially allow unauthorized access to sensitive information. **Recommendations** For Jenkins OpsGenie Plugin versions 1.9 and earlier, as a temporary workaround, consider restricting access to the global configuration file `com.opsgenie.integration.jenkins.OpsGenieNotifier.xml` and job `config.xml` files to minimize the risk of exploitation. Additionally, limit the permissions of users with Item/Extended Read permission to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins OpsGenie Plugin versions 1.9 and earlier **Description** The issue concerns the transmission and storage of API keys in plain text. Specifically, API keys are transmitted in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure. Additionally, these keys are stored unencrypted in the global configuration file `com.opsgenie.integration.jenkins.OpsGenieNotifier.xml` and in job `config.xml` files on the Jenkins controller. Users with Item/Extended Read permission or access to the Jenkins controller file system can view these API keys. **Recommendations** For Jenkins OpsGenie Plugin versions 1.9 and earlier, as a temporary workaround, consider restricting access to the global configuration file and job configuration files to minimize the risk of API key exposure. Avoid using the `com.opsgenie.integration.jenkins.OpsGenieNotifier.xml` and job `config.xml` files until a fix is available. Restrict access to the Jenkins controller file system to prevent unauthorized viewing of API keys. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Skype notifier Plugin versions 1.1.0 and earlier **Description** The issue concerns the storage of a password in an unencrypted form within the global configuration file on the Jenkins controller. This password is stored in the file `hudson.plugins.skype.im.transport.SkypePublisher.xml` as part of the plugin's configuration and can be accessed by users with file system access to the Jenkins controller. **Recommendations** For Jenkins Skype notifier Plugin versions 1.1.0 and earlier, consider removing or encrypting the stored password in the `hudson.plugins.skype.im.transport.SkypePublisher.xml` file to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins RQM Plugin versions 2.8 and earlier **Description** A missing check in the Jenkins RQM Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. This can be done through an HTTP endpoint that does not perform a permission check, potentially allowing attackers to use the enumerated credentials IDs as part of an attack to capture the credentials using another vulnerability. **Recommendations** For Jenkins RQM Plugin versions 2.8 and earlier, consider disabling the affected HTTP endpoint until a patch is available. Restrict access to the plugin to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins XPath Configuration Viewer Plugin versions 1.1.1 and earlier **Description** A missing permission check in the Jenkins XPath Configuration Viewer Plugin allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. This page grants access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission. **Recommendations** For Jenkins XPath Configuration Viewer Plugin versions 1.1.1 and earlier, consider disabling access to the XPath Configuration Viewer page until a patch is available. Restrict access to the HTTP endpoint related to the XPath Configuration Viewer page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins instant-messaging Plugin versions 1.41 and earlier **Description** The issue allows passwords for group chats to be stored unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller. These passwords can be viewed by users with access to the Jenkins controller file system. **Recommendations** For versions 1.41 and earlier, update to a version that fixes the issue to prevent unencrypted storage of group chat passwords. As a temporary workaround, consider restricting access to the Jenkins controller file system to minimize the risk of password exposure.

**Name of the Vulnerable Software and Affected Versions** Jenkins dbCharts Plugin versions 0.5.2 and earlier **Description** The issue concerns the storage of JDBC connection passwords in the global configuration file on the Jenkins controller. These passwords are stored unencrypted and can be viewed by users with access to the Jenkins controller file system. The configuration file in question is `hudson.plugins.dbcharts.DbChartPublisher.xml`. This poses a risk as users with access to the file system can obtain the passwords. **Recommendations** For Jenkins dbCharts Plugin versions 0.5.2 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of password exposure until a fix is available. As a temporary workaround, limit user access to the `hudson.plugins.dbcharts.DbChartPublisher.xml` file to prevent unauthorized viewing of the unencrypted JDBC connection passwords.

**Name of the Vulnerable Software and Affected Versions** Jenkins global-build-stats Plugin versions 1.5 and earlier **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because multiple fields in the chart configuration on the 'Global Build Stats' page are not properly escaped. This vulnerability can be exploited by attackers who have Overall/Administer permission. **Recommendations** For Jenkins global-build-stats Plugin versions 1.5 and earlier, update to a version later than 1.5 to resolve the issue. As a temporary workaround, consider restricting access to the 'Global Build Stats' page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Bumblebee HP ALM Plugin versions 4.1.5 and earlier **Description** The issue concerns the storage of credentials in an unencrypted manner within the global configuration file on the Jenkins controller. Specifically, the credentials are stored in the `com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml` file. Users with access to the Jenkins controller file system can view these credentials. It is noted that credentials are stored encrypted in version 4.1.6 once the configuration is saved again. **Recommendations** For Jenkins Bumblebee HP ALM Plugin versions 4.1.5 and earlier, update to version 4.1.6 or later to ensure credentials are stored encrypted. As a temporary workaround, consider restricting access to the Jenkins controller file system to minimize the risk of credential exposure.

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 1.10.0 Mahara versions 15.04 before 15.04.0 **Description** The issue allows for possible cross-site scripting when dragging and dropping files into a collection if the file has Javascript code in its title. **Recommendations** For Mahara versions prior to 1.10.0, update to version 1.10.0 or later. For Mahara versions 15.04 before 15.04.0, update to version 15.04.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 15.04 through 15.04.7 Mahara versions 15.10 through 15.10.3 Mahara versions 16.04 through 16.04.1 **Description** The issue allows for PHP code execution. It occurs because Mahara passes portions of the XML through the PHP `unserialize()` function when importing a skin from an XML file. **Recommendations** For Mahara versions 15.04 through 15.04.7, update to version 15.04.8 or later. For Mahara versions 15.10 through 15.10.3, update to version 15.10.4 or later. For Mahara versions 16.04 through 16.04.1, update to version 16.04.2 or later.