GHSA-2pc2-h97h-2mmw

Suggest an improvement
Source
https://github.com/advisories/GHSA-2pc2-h97h-2mmw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-2pc2-h97h-2mmw/GHSA-2pc2-h97h-2mmw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2pc2-h97h-2mmw
Aliases
  • CVE-2024-28160
Published
2024-03-06T18:30:39Z
Modified
2024-11-07T19:23:21.546526Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
  • 6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Jenkins iceScrum Plugin vulnerable to stored Cross-site Scripting
Details

Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

Database specific 
{
    "nvd_published_at": "2024-03-06T17:15:11Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T20:13:56Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:icescrum

Package

Name
org.jenkins-ci.plugins:icescrum
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/icescrum

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.1.6

Affected versions

1.*

1.0
1.0.1
1.0.2
1.0.3
1.0.5.7
1.0.5.8
1.0.5.9
1.0.5.10
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6