Description

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-04-16/

Related Vulnerabilities

CVE-2023-37947 Vulnerability in maven package org.openshift.jenkins:openshift-login

CVE-2017-8439 Vulnerability in npm package kibana

CVE-2017-3156 Vulnerability in maven package org.apache.cxf:cxf-rt-rs-security-jose

CVE-2019-1003087 Vulnerability in maven package org.jenkins-ci.plugins:labmanager

CVE-2021-36161 Vulnerability in maven package org.apache.dubbo:dubbo-common

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory