Description

A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-06-25/#SECURITY-906

Related Vulnerabilities

CVE-2021-29425 Vulnerability in maven package commons-io:commons-io

CVE-2019-10285 Vulnerability in maven package org.jenkins-ci.plugins:minio-storage

CVE-2019-10346 Vulnerability in maven package org.jenkins-ci.plugins:embeddable-build-status

CVE-2017-15691 Vulnerability in maven package org.apache.uima:uima-ducc-web

CVE-2023-30523 Vulnerability in maven package org.jenkins-ci.plugins:reportportal

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory