GHSA-w3pj-v9jr-v2wc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w3pj-v9jr-v2wc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w3pj-v9jr-v2wc/GHSA-w3pj-v9jr-v2wc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w3pj-v9jr-v2wc
- Aliases
- Published
- 2022-05-24T16:47:43Z
- Modified
- 2024-02-16T08:24:42.779721Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability
- Details
-
The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting.
This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form.
CloudBees CD Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms.
- Database specific
{ "nvd_published_at": "2019-06-11T14:29:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-10-26T22:21:11Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-10336
- https://github.com/jenkinsci/electricflow-plugin/commit/4550f86e75e0927be644958ed088e4fa82c783b7
- https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1420
- https://web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747
- http://www.openwall.com/lists/oss-security/2019/06/11/1
Affected packages
Maven / org.jenkins-ci.plugins:electricflow
Package
- Name
- org.jenkins-ci.plugins:electricflow
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/electricflow