Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14Zzc3LXhxaHEtY3Jwcs4AAjcK
Stored XSS vulnerability in Code Coverage API Plugin
Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view.
This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration.
Code Coverage API Plugin 1.1.3 escapes the filename of the coverage report used in its view.
Permalink: https://github.com/advisories/GHSA-xg77-xqhq-crprJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Zzc3LXhxaHEtY3Jwcs4AAjcK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-xg77-xqhq-crpr, CVE-2020-2106
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2106
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1680
- http://www.openwall.com/lists/oss-security/2020/01/29/1
- https://github.com/jenkinsci/code-coverage-api-plugin/commit/24921da6d625c4deb259049446dc2b45b1da4603
- https://github.com/advisories/GHSA-xg77-xqhq-crpr
Blast Radius: 1.0
Affected Packages
maven:io.jenkins.plugins:code-coverage-api
Affected Version Ranges: <= 1.1.2Fixed in: 1.1.3