PT-2020-15420 · Jenkins · Jenkins Vncrecorder Plugin+1
Wadeck Follonier
·
Published
2020-07-02
·
Updated
2023-11-02
·
CVE-2020-2206
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins VncRecorder Plugin versions 1.25 and earlier
Description
The issue is related to a reflected cross-site scripting (XSS) vulnerability. It occurs because the
checkVncServ form validation endpoint does not escape a parameter value, allowing for malicious script execution. This endpoint is used for form validation, and the lack of proper escaping makes it vulnerable to XSS attacks.Recommendations
For Jenkins VncRecorder Plugin versions 1.25 and earlier, update to version 1.35 or later, which escapes the parameter value in the output, thus resolving the issue.
As a temporary workaround, consider restricting access to the
checkVncServ form validation endpoint to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Vncrecorder Plugin