PT-2020-15421 · Jenkins · Jenkins Vncviewer Plugin+1
Wadeck Follonier
·
Published
2020-07-02
·
Updated
2023-11-02
·
CVE-2020-2207
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins VncViewer Plugin versions 1.7 and earlier
Description
The issue is related to a reflected cross-site scripting (XSS) vulnerability. It occurs because the
checkVncServ form validation endpoint does not properly escape a parameter value, allowing for malicious script injection. The endpoint /checkVncServ is affected, with the parameter value being the vulnerable parameter. This vulnerability can be exploited by injecting malicious code into the endpoint output.Recommendations
For Jenkins VncViewer Plugin versions 1.7 and earlier, update to version 1.8 or later, which properly escapes the parameter value in the
checkVncServ form validation endpoint output. As a temporary workaround, consider restricting access to the /checkVncServ endpoint to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Vncviewer Plugin