Stored XSS in Jenkins CVS Plugin

2022-04-1300:00:18

Google

osv.dev

0.001 Low

EPSS

Percentile

22.0%

JSON

Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CPENameOperatorVersion
org.jenkins-ci.plugins:cvseq2.12
org.jenkins-ci.plugins:cvseq1.4
org.jenkins-ci.plugins:cvseq2.10
org.jenkins-ci.plugins:cvseq2.19
org.jenkins-ci.plugins:cvseq2.14
org.jenkins-ci.plugins:cvseq2.8
org.jenkins-ci.plugins:cvseq1.6
org.jenkins-ci.plugins:cvseq2.18
org.jenkins-ci.plugins:cvseq2.9
org.jenkins-ci.plugins:cvseq1.5

Name	Operator	Version
org.jenkins-ci.plugins:cvs	eq	2.12
org.jenkins-ci.plugins:cvs	eq	1.4
org.jenkins-ci.plugins:cvs	eq	2.10
org.jenkins-ci.plugins:cvs	eq	2.19
org.jenkins-ci.plugins:cvs	eq	2.14
org.jenkins-ci.plugins:cvs	eq	2.8
org.jenkins-ci.plugins:cvs	eq	1.6
org.jenkins-ci.plugins:cvs	eq	2.18
org.jenkins-ci.plugins:cvs	eq	2.9
org.jenkins-ci.plugins:cvs	eq	1.5