GHSA-ghq2-m3pq-qf3p

Source

https://github.com/advisories/GHSA-ghq2-m3pq-qf3p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-ghq2-m3pq-qf3p/GHSA-ghq2-m3pq-qf3p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ghq2-m3pq-qf3p

Aliases

CVE-2022-29037

Published

2022-04-13T00:00:18Z

Modified

2023-11-08T04:09:06.789109Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Stored XSS in Jenkins CVS Plugin

Details

Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Database specific

{
    "nvd_published_at": "2022-04-12T20:15:00Z",
    "github_reviewed_at": "2022-05-03T20:52:54Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:cvs

Package

Name: org.jenkins-ci.plugins:cvs; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cvs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.19.1

Affected versions

1.*

1.4

1.5

1.6

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.11

2.12

2.13

2.14

2.15

2.16

2.17

2.18

2.19