PT-2022-18289 · Jenkins · Jenkins Extended Choice Parameter Plugin+1
Kevin Guerroudj
·
Published
2022-03-15
·
Updated
2023-11-22
·
CVE-2022-27202
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier
Description
The issue results in a stored cross-site scripting (XSS) vulnerability. This occurs because the plugin does not escape the value and description of extended choice parameters of radio buttons or check boxes type. Attackers with Item/Configure permission can exploit this vulnerability.
Recommendations
For Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier, consider updating to a version that fixes the stored cross-site scripting (XSS) vulnerability. As a temporary workaround, restrict access to the extended choice parameters of radio buttons or check boxes type to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Extended Choice Parameter Plugin