Stored XSS vulnerability in Jenkins Scriptler Plugin

2022-05-2419:20:33

Google

osv.dev

0.001 Low

EPSS

Percentile

22.3%

JSON

Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts.

Jenkins Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.

CPENameOperatorVersion
org.jenkins-ci.plugins:scriptlereq3.2
org.jenkins-ci.plugins:scriptlereq2.6.1
org.jenkins-ci.plugins:scriptlereq2.0
org.jenkins-ci.plugins:scriptlereq2.5
org.jenkins-ci.plugins:scriptlereq3.3
org.jenkins-ci.plugins:scriptlereq2.1
org.jenkins-ci.plugins:scriptlereq2.7
org.jenkins-ci.plugins:scriptlereq3.1
org.jenkins-ci.plugins:scriptlereq2.4
org.jenkins-ci.plugins:scriptlereq2.2.1

Name	Operator	Version
org.jenkins-ci.plugins:scriptler	eq	3.2
org.jenkins-ci.plugins:scriptler	eq	2.6.1
org.jenkins-ci.plugins:scriptler	eq	2.0
org.jenkins-ci.plugins:scriptler	eq	2.5
org.jenkins-ci.plugins:scriptler	eq	3.3
org.jenkins-ci.plugins:scriptler	eq	2.1
org.jenkins-ci.plugins:scriptler	eq	2.7
org.jenkins-ci.plugins:scriptler	eq	3.1
org.jenkins-ci.plugins:scriptler	eq	2.4
org.jenkins-ci.plugins:scriptler	eq	2.2.1