PT-2023-25164 · Jenkins · Jenkins Sonargraph Integration Plugin+1
Alvaro Muñoz
+1
·
Published
2023-06-14
·
Updated
2025-01-02
·
CVE-2023-35145
CVSS v3.1
8.0
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Sonargraph Integration Plugin versions 5.0.1 and earlier
Description
The issue is related to a stored cross-site scripting vulnerability. It occurs because the file path and the project name for the Log file field form validation are not correctly escaped. This vulnerability can be exploited by attackers with Item/Configure permission.
Recommendations
For Jenkins Sonargraph Integration Plugin versions 5.0.1 and earlier, update to a version that correctly escapes the file path and the project name for the Log file field form validation to prevent stored cross-site scripting attacks.
As a temporary workaround, consider restricting access to the Log file field form validation for users with Item/Configure permission until a patch is available.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Sonargraph Integration Plugin