Description

A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-06-25/#SECURITY-906

Related Vulnerabilities

CVE-2019-12418 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2019-10451 Vulnerability in maven package com.soasta.jenkins:cloudtest

CVE-2018-18282 Vulnerability in npm package next

CVE-2021-41184 Vulnerability in maven package org.webjars.bower:jquery-ui

CVE-2020-15777 Vulnerability in maven package com.gradle:gradle-enterprise-maven-extension

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory