An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tajdxLWNtZjMtbWc3aM4AAnOV

Stored XSS vulnerability in Jenkins on new item page

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

As of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this.
Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 7 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-mj7q-cmf3-mg7h, CVE-2021-21611
References: Repository:
Blast Radius: 1.0

Affected Packages

Affected Version Ranges: >= 2.264, <= 2.274, <= 2.263.1
Fixed in: 2.275, 2.263.2