PT-2020-15519 · Jenkins · Jenkins Active Choices Plugin+1
Wadeck Follonier
·
Published
2020-10-08
·
Updated
2023-11-02
·
CVE-2020-2289
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Active Choices Plugin versions 2.4 and earlier
Description
The issue results in a stored cross-site scripting (XSS) vulnerability because the name and description of build parameters are not properly escaped. This vulnerability can be exploited by attackers who have Job/Configure permission.
Recommendations
For Jenkins Active Choices Plugin versions 2.4 and earlier, update to version 2.5 or later, which escapes the name of build parameters and applies the configured markup formatter to the description of build parameters.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Active Choices Plugin