Описание
Jenkins JaCoCo Plugin vulnerable to Stored Cross-site Scripting
Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action. Version 3.3.2.1 escapes class and method names shown on the UI.
Пакеты
Наименование
org.jenkins-ci.plugins:jacoco
maven
Затронутые версииВерсия исправления
< 3.3.2.1
3.3.2.1
Связанные уязвимости
CVSS3: 5.4
nvd
почти 3 года назад
Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.