Description

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-04-16/

Related Vulnerabilities

CVE-2013-4271 Vulnerability in maven package org.restlet:org.restlet

CVE-2023-40176 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2019-0224 Vulnerability in maven package org.apache.jspwiki:jspwiki-builder

CVE-2022-26850 Vulnerability in maven package org.apache.nifi:nifi-single-user-utils

CVE-2018-8088 Vulnerability in maven package org.slf4j:slf4j-ext

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory