Description

A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-06-25/#SECURITY-906

Related Vulnerabilities

CVE-2019-17557 Vulnerability in maven package org.apache.syncope:syncope-client

CVE-2023-40582 Vulnerability in npm package find-exec

CVE-2014-3623 Vulnerability in maven package org.apache.wss4j:wss4j-ws-security-dom

CVE-2019-10430 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner

CVE-2017-8439 Vulnerability in npm package kibana

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory