Description

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-04-16/

Related Vulnerabilities

CVE-2020-13947 Vulnerability in maven package org.apache.activemq:activemq-web-console

CVE-2023-30517 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner

CVE-2022-22965 Vulnerability in maven package org.springframework.boot:spring-boot-starter-web

CVE-2023-31418 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2023-32007 Vulnerability in maven package org.apache.spark:spark-core_2.13

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory