Description

Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.

Remediation

References

CVE-2017-2601

Related Vulnerabilities

LimeSurvey Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2019-25019)

Drupal Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-3231)

Python Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2183)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2015-4852)

WordPress Plugin Mail logging-WP Mail Catcher Cross-Site Scripting (2.1.2)

Severity

Medium

Classification

CVE-2017-2601 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities