CVE-2024-23898

HIGH Year: 2024
CVSS v3 Score
8.8
High
Weakness Type
CWE-346
View all →

Vulnerability Description

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

Related Vulnerabilities

CVE-2017-8793

HIGH
CVSS:8.8(High)

An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the d...

CWE-3462017

CVE-2018-6654

HIGH
CVSS:8.8(High)

The Grammarly extension before 2018-02-02 for Chrome allows remote attackers to discover authentication tokens via an 'action: "user"' request to iframe.gr_-ifr, because the exposure of these tokens i...

CWE-3462018

CVE-2020-11069

HIGH
CVSS:8.8(High)

In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can b...

CWE-3462020

CVE-2020-1408

HIGH
CVSS:8.8(High)

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'.

CWE-3462020

CVE-2020-24772

HIGH
CVSS:8.8(High)

In Dreamacro Clash for Windows v0.11.4, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. W...

CWE-3462020

CVE-2021-31718

HIGH
CVSS:8.8(High)

The server in npupnp before 4.1.4 is affected by DNS rebinding in the embedded web server (including UPnP SOAP and GENA endpoints), leading to remote code execution.

CWE-3462021