PT-2025-11701 · Jenkins · Jenkins Anchorchain Plugin+1

Lotfi Yahi

Published

2025-03-19

Updated

2025-10-08

CVE-2025-30196

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins AnchorChain Plugin version 1.0

Description The issue allows attackers to exploit a stored cross-site scripting (XSS) vulnerability by controlling the input file for the Anchor Chain post-build step. This is due to the plugin not limiting URL schemes for links it creates based on workspace content, allowing the javascript: scheme.

Recommendations For Jenkins AnchorChain Plugin version 1.0, consider disabling the Anchor Chain post-build step until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to workspace content to minimize the risk of attackers controlling the input file.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2025-30196

GHSA-XXRG-MG63-QFPJ

Affected Products

Jenkins

Jenkins Anchorchain Plugin

PT-2025-11701 · Jenkins · Jenkins Anchorchain Plugin+1

CVE-2025-30196

Weakness Enumeration

Related Identifiers

Affected Products

References · 9