Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zODkyLXFxdjYtaDJxbc4AAWxK
Stored XSS vulnerability in Jenkins S3 Publisher Plugin
A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.
Permalink: https://github.com/advisories/GHSA-3892-qqv6-h2qmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zODkyLXFxdjYtaDJxbc4AAWxK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 3 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-3892-qqv6-h2qm, CVE-2018-1000177
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000177
- https://jenkins.io/security/advisory/2018-04-16/
- https://github.com/advisories/GHSA-3892-qqv6-h2qm
Affected Packages
maven:org.jenkins-ci.plugins:s3
Affected Version Ranges: <= 0.10.12Fixed in: 0.11.0