PT-2020-15313 · Jenkins · Jenkins Code Coverage Api Plugin+1
Federico Pellegrin
·
Published
2020-01-29
·
Updated
2023-11-02
·
CVE-2020-2106
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Code Coverage API Plugin versions 1.1.2 and earlier
Description
The issue is related to a stored XSS vulnerability. It occurs because the filename of the coverage report used in its view is not properly escaped, allowing users who can change job configurations to exploit this weakness. This results in a stored cross-site scripting vulnerability.
Recommendations
For Jenkins Code Coverage API Plugin versions 1.1.2 and earlier, update to version 1.1.3 or later, which properly escapes the filename of the coverage report used in its view.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Code Coverage Api Plugin