Description

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-04-16/

Related Vulnerabilities

CVE-2020-16015 Vulnerability in npm package electron

CVE-2022-36899 Vulnerability in maven package com.compuware.jenkins:compuware-ispw-operations

CVE-2021-4178 Vulnerability in maven package io.fabric8:kubernetes-client

CVE-2016-3722 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-28154 Vulnerability in maven package org.jenkins-ci.plugins:covcomplplot

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory