Description

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-04-16/

Related Vulnerabilities

CVE-2022-25205 Vulnerability in maven package org.jenkins-ci.plugins:dbcharts

CVE-2011-2732 Vulnerability in maven package org.springframework.security:spring-security-core

CVE-2016-3088 Vulnerability in maven package org.apache.activemq:apache-activemq

CVE-2023-49803 Vulnerability in npm package @koa/cors

CVE-2022-27202 Vulnerability in maven package org.jenkins-ci.plugins:extended-choice-parameter

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory