Description

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-04-16/

Related Vulnerabilities

CVE-2023-28680 Vulnerability in maven package org.jenkins-ci.plugins:crap4j

CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-jetty8

CVE-2023-29524 Vulnerability in maven package org.xwiki.platform:xwiki-platform-scheduler-ui

CVE-2020-2258 Vulnerability in maven package org.jenkins-ci.plugins:cloudbees-jenkins-advisor

CVE-2018-17960 Vulnerability in npm package ckeditor

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory