Stored XSS vulnerability in Jenkins Cadence vManager Plugin

2022-05-2417:27:07

Google

osv.dev

0.001 Low

EPSS

Percentile

22.0%

JSON

Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.

Cadence vManager Plugin 3.0.5 removes affected tooltips.

CPENameOperatorVersion
org.jenkins-ci.plugins:vmanager-plugineq2.5.8
org.jenkins-ci.plugins:vmanager-plugineq2.5.5
org.jenkins-ci.plugins:vmanager-plugineq1.3
org.jenkins-ci.plugins:vmanager-plugineq2.6.0
org.jenkins-ci.plugins:vmanager-plugineq2.4
org.jenkins-ci.plugins:vmanager-plugineq2.4.6
org.jenkins-ci.plugins:vmanager-plugineq3.0.1
org.jenkins-ci.plugins:vmanager-plugineq2.4.1
org.jenkins-ci.plugins:vmanager-plugineq1.7
org.jenkins-ci.plugins:vmanager-plugineq2.4.5

Name	Operator	Version
org.jenkins-ci.plugins:vmanager-plugin	eq	2.5.8
org.jenkins-ci.plugins:vmanager-plugin	eq	2.5.5
org.jenkins-ci.plugins:vmanager-plugin	eq	1.3
org.jenkins-ci.plugins:vmanager-plugin	eq	2.6.0
org.jenkins-ci.plugins:vmanager-plugin	eq	2.4
org.jenkins-ci.plugins:vmanager-plugin	eq	2.4.6
org.jenkins-ci.plugins:vmanager-plugin	eq	3.0.1
org.jenkins-ci.plugins:vmanager-plugin	eq	2.4.1
org.jenkins-ci.plugins:vmanager-plugin	eq	1.7
org.jenkins-ci.plugins:vmanager-plugin	eq	2.4.5