Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mdjRxLTRoMjQtMjNxcs4AAiCB
Jenkins Dashboard View Plugin vulnerable to Cross-site Scripting
Dashboard View Plugin did not escape the build description on the Latest Builds View. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the description of builds shown on that view.
Dashboard View Plugin now applies the configured markup formatter to the build description, rendering it as it appears elsewhere in Jenkins.
Permalink: https://github.com/advisories/GHSA-fv4q-4h24-23qrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mdjRxLTRoMjQtMjNxcs4AAiCB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 12 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00054
EPSS Percentile: 0.23527
Identifiers: GHSA-fv4q-4h24-23qr, CVE-2019-10396
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10396
- https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1489
- http://www.openwall.com/lists/oss-security/2019/09/12/2
- https://github.com/jenkinsci/dashboard-view-plugin/commit/115238da2a8899358b32ee14e7076df23747d6c9
- https://github.com/advisories/GHSA-fv4q-4h24-23qr
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:dashboard-view
Affected Version Ranges: < 2.12Fixed in: 2.12