CVE-2019-10336

Name of the Vulnerable Software and Affected Versions Jenkins ElectricFlow Plugin version 1.1.6 and earlier CloudBees CD Plugin (affected versions not specified)

Description A reflected cross-site scripting issue allows attackers to inject arbitrary HTML and JavaScript into job configuration forms containing post-build steps provided by the plugin. This occurs when attackers can control the output of connected ElectricFlow servers' APIs. The issue affects the configuration forms of various post-build steps contributed by the CloudBees CD Plugin.

Recommendations For Jenkins ElectricFlow Plugin version 1.1.6 and earlier, update to a version that no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms. For CloudBees CD Plugin, ensure the plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms to prevent exploitation.