Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1mOWdmLTJxODctNW00NM4AAqqe

Stored XSS vulnerability in Jenkins Scriptler Plugin

Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts.

Jenkins Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.

Permalink: https://github.com/advisories/GHSA-f9gf-2q87-5m44
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mOWdmLTJxODctNW00NM4AAqqe
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-f9gf-2q87-5m44, CVE-2021-21700
References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-21700
• https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2406
• http://www.openwall.com/lists/oss-security/2021/11/12/1
• https://github.com/jenkinsci/scriptler-plugin/commit/7e4fa9b51f37714decca30a35dd81e41f72aec93
• https://github.com/advisories/GHSA-f9gf-2q87-5m44

Repository: https://github.com/jenkinsci/scriptler-plugin
Blast Radius: 1.0

Affected Packages