PT-2018-9459 · Jenkins · Jenkins Badge Plugin+1

Published

2018-06-26

Updated

2022-05-14

CVE-2018-1000604

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Badge Plugin versions 1.4 and earlier

Description A persisted cross-site scripting issue exists in the Jenkins Badge Plugin, specifically in BadgeSummaryAction.java and HtmlBadgeAction.java, allowing attackers who can control build badge content to define JavaScript that would be executed in another user's browser when that user performs certain UI actions.

Recommendations For Jenkins Badge Plugin versions 1.4 and earlier, update to version 1.5 or newer, which sanitizes the provided HTML for display on the Jenkins web UI.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-1000604

GHSA-3XJQ-8J89-XRW9

Affected Products

Jenkins

Jenkins Badge Plugin

PT-2018-9459 · Jenkins · Jenkins Badge Plugin+1

CVE-2018-1000604

Weakness Enumeration

Related Identifiers

Affected Products

References · 6