Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mdndoLXd2NDMtOHFqNc4AAl8d

Stored XSS vulnerability in Validating String Parameter Plugin

Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

Permalink: https://github.com/advisories/GHSA-fvwh-wv43-8qj5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mdndoLXd2NDMtOHFqNc4AAl8d
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 12 months ago


CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Identifiers: GHSA-fvwh-wv43-8qj5, CVE-2020-2257
References: Repository: https://github.com/jenkinsci/validating-string-parameter-plugin
Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:validating-string-parameter
Affected Version Ranges: <= 2.4
Fixed in: 2.5