PT-2020-15389 · Usemango+1 · Usemango Runner Plugin+1

Wadeck Follonier

Published

2020-04-07

Updated

2023-11-02

CVE-2020-2176

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions useMango Runner Plugin versions 1.4 and earlier

Description The issue is related to a cross-site scripting (XSS) vulnerability. Multiple form validation endpoints in the useMango Runner Plugin do not escape values received from the useMango service, making it exploitable by users who can control the values returned from the useMango service.

Recommendations For useMango Runner Plugin versions 1.4 and earlier, update to version 1.5 or later, which escapes all values received from the useMango service in form validation messages. As a temporary workaround, consider restricting access to the form validation endpoints to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-2176

GHSA-5X89-75R7-8RJH

Affected Products

Jenkins

Usemango Runner Plugin

PT-2020-15389 · Usemango+1 · Usemango Runner Plugin+1

CVE-2020-2176

Weakness Enumeration

Related Identifiers

Affected Products

References · 7