Description

A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Remediation

References

https://jenkins.io/security/advisory/2018-06-25/#SECURITY-906

Related Vulnerabilities

CVE-2018-1000151 Vulnerability in maven package org.jenkins-ci.plugins:vsphere-cloud

CVE-2019-14837 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2018-1999042 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2014-0094 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2021-41182 Vulnerability in npm package jquery-ui

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory