CVE-2019-10335

Name of the Vulnerable Software and Affected Versions Jenkins ElectricFlow Plugin version 1.1.5 and earlier

Description A stored cross-site scripting issue allows attackers to inject arbitrary HTML and JavaScript in the plugin-provided output on build status pages. This occurs because user content was not properly escaped, enabling users with Job/Configure permission or attackers controlling API responses from ElectricFlow to render arbitrary HTML and JavaScript on Jenkins build pages.

Recommendations For Jenkins ElectricFlow Plugin version 1.1.5 and earlier, update the plugin to a version that includes the security update, which filters build metadata through a HTML formatter and properly escapes content received from ElectricFlow.