PT-2020-15388 · Jenkins · Jenkins Fitnesse Plugin+1
Federico Pellegrin
·
Published
2020-04-07
·
Updated
2023-11-02
·
CVE-2020-2175
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins FitNesse Plugin versions 1.31 and earlier
Description
The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin does not correctly escape report contents before showing them on the Jenkins UI. This vulnerability is exploitable by users who can control the XML input files processed by the plugin.
Recommendations
For Jenkins FitNesse Plugin versions 1.31 and earlier, update to version 1.32 or later, which escapes content from XML input files before rendering it on the Jenkins UI.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Fitnesse Plugin