Wastasy

Name of the Vulnerable Software and Affected Versions: SpagoBI versions prior to 4.1 Description: The issue is related to a privilege escalation error in the AdapterHTTP script. Recommendations: For versions prior to 4.1, update to version 4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SpagoBI versions prior to 4.1 **Description** The issue allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension to the Worksheet designer, and then accessing it via a direct request. This is related to an unrestricted file upload vulnerability. **Recommendations** For versions prior to 4.1, update to version 4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Worksheet designer to minimize the risk of exploitation. Avoid allowing uploads of files with executable extensions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SpagoBI versions prior to 4.1 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML via the Description field in the "Short document metadata." **Recommendations** For versions prior to 4.1, update to version 4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** JAMon versions 2.7 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `listenertype` or `currentlistener` parameter to "mondetail.jsp" or the `ArraySQL` parameter to "mondetail.jsp", "jamonadmin.jsp", "sql.jsp", or "exceptions.jsp". **Recommendations** For JAMon versions 2.7 and earlier, as a temporary workaround, consider restricting access to the vulnerable parameters `listenertype`, `currentlistener`, and `ArraySQL` in the affected API endpoints until a patch is available. Avoid using these parameters in the "mondetail.jsp", "jamonadmin.jsp", "sql.jsp", or "exceptions.jsp" endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins version 1.523 **Description** A cross-site scripting (XSS) issue exists in the default markup formatter, allowing remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration. **Recommendations** For Jenkins version 1.523, consider disabling the default markup formatter in the user configuration as a temporary workaround until a patch is available. Restrict access to the Description field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Plugin for SonarQube versions 3.7 and earlier **Description** The issue allows remote authenticated users to obtain sensitive information, specifically cleartext passwords, by reading the value in the `sonarPassword` parameter from the jenkins/configure page. **Recommendations** For Jenkins Plugin for SonarQube versions 3.7 and earlier, consider restricting access to the jenkins/configure page to minimize the risk of exploitation. Avoid using the `sonarPassword` parameter in the affected configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.