Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNnZ4LTNmcTYtaHhtOM4AAkKy

Stored XSS vulnerability in Jenkins FitNesse Plugin

Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin.

Jenkins FitNesse Plugin 1.32 escapes content from XML input files before rendering it on the Jenkins UI.

Permalink: https://github.com/advisories/GHSA-f6vx-3fq6-hxm8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNnZ4LTNmcTYtaHhtOM4AAkKy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00054
EPSS Percentile: 0.23527

Identifiers: GHSA-f6vx-3fq6-hxm8, CVE-2020-2175
References: Repository: https://github.com/jenkinsci/fitnesse-plugin
Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:fitnesse
Affected Version Ranges: <= 1.31
Fixed in: 1.32