GHSA-3xjq-8j89-xrw9

Suggest an improvement
Source
https://github.com/advisories/GHSA-3xjq-8j89-xrw9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3xjq-8j89-xrw9/GHSA-3xjq-8j89-xrw9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3xjq-8j89-xrw9
Aliases
Published
2022-05-14T03:05:27Z
Modified
2024-02-16T08:21:34.361766Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Jenkins Badge Plugin cross-site scripting vulnerability
Details

A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. Badge Plugin 1.5 and newer sanitizes the provided HTML for display on the Jenkins web UI.

Database specific 
{
    "nvd_published_at": "2018-06-26T17:29:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-12T16:32:16Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:badge

Package

Name
org.jenkins-ci.plugins:badge
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/badge

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5

Affected versions

1.*

1.0
1.1
1.2
1.3
1.4

Database specific 

{
    "last_known_affected_version_range": "<= 1.4"
}