Description

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

Remediation

References

CVE-2023-35141

Related Vulnerabilities

WordPress Plugin Seed Social Cross-Site Scripting (2.0.3)

phpMyAdmin 7PK - Security Features Vulnerability (CVE-2016-9865)

Plone CMS Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2015-7293)

YetiForce CRM Improper Input Validation Vulnerability (CVE-2021-4117)

ownCloud Improper Authentication Vulnerability (CVE-2014-9043)

Severity

High

Classification

CVE-2023-35141 CWE-352 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities