GHSA-v3f3-rf6r-43x5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v3f3-rf6r-43x5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-v3f3-rf6r-43x5/GHSA-v3f3-rf6r-43x5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v3f3-rf6r-43x5
- Aliases
-
- CVE-2025-67641
- Published
- 2025-12-10T18:30:27Z
- Modified
- 2025-12-10T20:41:14.628430Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Jenkins Coverage Plugin has a stored cross-site scripting (XSS) vulnerability
- Details
-
Jenkins Coverage Plugin 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a
javascript:scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-12-10T20:16:07Z", "nvd_published_at": "2025-12-10T17:15:56Z", "severity": "HIGH", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Maven / io.jenkins.plugins:coverage
Package
- Name
- io.jenkins.plugins:coverage
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins.plugins/coverage
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3056
Affected versions
1.*
1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.9.0
1.10.0
1.11.0
1.11.1
1.12.0
1.13.0
1.14.0
1.15.0
1.16.0
1.16.1
2.*
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.6.0
2.7.0
2.7.1
2.8.0
2.2873.v430507dfc44b_
2.2875.ve560756ff429
2.2879.v7434570a_8b_94
2.2901.v47e734811a_92
2.2912.v3dea_6a_4a_73f7
2.2933.v84e9b_19d9e6f
2.2941.v08df75b_767f1
2.2962.v6a_3557c95fd0
2.2977.v0e1c1d11042d
2.3026.ve83b_5d9dfb_c4
2.3036.v90d485b_810c6
2.3054.ve1ff7b_a_a_123b_