Description

A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this plugin.

Remediation

References

https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1420

http://www.openwall.com/lists/oss-security/2019/06/11/1

http://www.securityfocus.com/bid/108747

Related Vulnerabilities

CVE-2020-1954 Vulnerability in maven package org.apache.cxf:cxf-rt-management

CVE-2023-45137 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2022-24773 Vulnerability in npm package node-forge

CVE-2023-31066 Vulnerability in maven package org.apache.inlong:manager-service

CVE-2021-43306 Vulnerability in npm package jquery-validation

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory