CVE-2019-10336

Опубликовано: 11 июн. 2019

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this plugin.

Ссылки

http://www.openwall.com/lists/oss-security/2019/06/11/1
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/108747
https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1420
Vendor Advisory
http://www.openwall.com/lists/oss-security/2019/06/11/1
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/108747
https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1420
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:electricflow:*:*:*:*:*:jenkins:*:*

Версия до 1.1.6 (включая)

EPSS

Процентиль: 20%

0.00065

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-w3pj-v9jr-v2wc

CVSS3: 4.7

github

больше 3 лет назад

Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability