Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jMmh3LXc5cW0tcTVyOc4AATYR
Cross-site Scripting in Jenkins Active Choices plugin
Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. This could include, for example, arbitrary JavaScript. Active Choices now sanitizes the HTML inserted on the 'Build With Parameters' page if and only if the script is executed in a sandbox. As unsandboxed scripts are subject to administrator approval, it is up to the administrator to allow or disallow problematic script output.
Permalink: https://github.com/advisories/GHSA-c2hw-w9qm-q5r9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMmh3LXc5cW0tcTVyOc4AATYR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-c2hw-w9qm-q5r9, CVE-2017-1000386
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000386
- https://jenkins.io/security/advisory/2017-10-23/
- http://www.securityfocus.com/bid/101538
- https://github.com/advisories/GHSA-c2hw-w9qm-q5r9
Affected Packages
maven:org.biouno:uno-choice
Affected Version Ranges: < 2.0Fixed in: 2.0