Stored Cross-site Scripting vulnerability in Jenkins Dashboard View Plugin

2022-03-1600:00:45

Google

osv.dev

0.001 Low

EPSS

Percentile

22.2%

JSON

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet’s Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views.

Dashboard View Plugin 2.18.1 performs URL validation for the Iframe Portlet’s Iframe source URL.
Additionally, Dashboard View Plugin 2.18.1 sets the sandbox attribute for the iframe to restrict the included page.

In case of problems, the Java system property hudson.plugins.view.dashboard.core.IframePortlet.sandboxAttributeValue can be used to customize the sandbox attribute value. The Java system property hudson.plugins.view.dashboard.core.IframePortlet.doNotUseSandbox can be used to disable the sandbox completely.

CPENameOperatorVersion
org.jenkins-ci.plugins:dashboard-vieweq2.12.1
org.jenkins-ci.plugins:dashboard-vieweq2.9.10
org.jenkins-ci.plugins:dashboard-vieweq2.9.12
org.jenkins-ci.plugins:dashboard-vieweq2.9.5
org.jenkins-ci.plugins:dashboard-vieweq2.10
org.jenkins-ci.plugins:dashboard-vieweq2.8
org.jenkins-ci.plugins:dashboard-vieweq2.0.2
org.jenkins-ci.plugins:dashboard-vieweq2.9
org.jenkins-ci.plugins:dashboard-vieweq2.14
org.jenkins-ci.plugins:dashboard-vieweq2.18

Name	Operator	Version
org.jenkins-ci.plugins:dashboard-view	eq	2.12.1
org.jenkins-ci.plugins:dashboard-view	eq	2.9.10
org.jenkins-ci.plugins:dashboard-view	eq	2.9.12
org.jenkins-ci.plugins:dashboard-view	eq	2.9.5
org.jenkins-ci.plugins:dashboard-view	eq	2.10
org.jenkins-ci.plugins:dashboard-view	eq	2.8
org.jenkins-ci.plugins:dashboard-view	eq	2.0.2
org.jenkins-ci.plugins:dashboard-view	eq	2.9
org.jenkins-ci.plugins:dashboard-view	eq	2.14
org.jenkins-ci.plugins:dashboard-view	eq	2.18