CVE-2013-5573
published 2013-12-31CVE-2013-5573: Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via…
PriorityP426medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
5.41%
91.7th percentile
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins | — | — |
| jenkins | jenkins_core | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2014-02-14
vendor_jenkins·2014-02-14·CVSS 4.3
CVE-2013-5573 [MEDIUM] Jenkins Security Advisory 2014-02-14
Title: Jenkins Security Advisory 2014-02-14
Jenkins Security Advisory 2014-02-14
This advisory announces multiple security vulnerabilities that were found in Jenkins core.
Description
SECURITY-105
In some places, Jenkins XML API uses XStream to deserialize arbitrary content, which is affected by CVE-2013-7285 reported against XStream. This allows malicious users of Jenkins with a limited set of permissions to execute arbitrary code inside the Jenkins controller.
SECURITY-76 & SECURITY-88 / CVE-2013-5573
Restrictions of HTML tags for user-editable contents are too lax. This allows malicious users of Jenkins to trick other unsuspecting users into providing sensitive information.
SECURITY-109
Plugging a hole in the earlier fix to SECURIT
Red Hat
jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)
vendor_redhat·2013-12-16·CVSS 4.3
CVE-2013-5573 [MEDIUM] CWE-96 jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)
jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
Mitigation: 'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL, "method");
Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps could be banned entirely.
Package: jenkins (OpenShift Enterprise 1) - Will not fix
GHSA
Jenkins allows Cross-Site Scripting (XSS) in User Configuration
ghsa·2022-05-17
CVE-2013-5573 [LOW] CWE-79 Jenkins allows Cross-Site Scripting (XSS) in User Configuration
Jenkins allows Cross-Site Scripting (XSS) in User Configuration
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
OSV
Jenkins allows Cross-Site Scripting (XSS) in User Configuration
osv·2022-05-17
CVE-2013-5573 [LOW] Jenkins allows Cross-Site Scripting (XSS) in User Configuration
Jenkins allows Cross-Site Scripting (XSS) in User Configuration
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
No detection rules found.
http://packetstormsecurity.com/files/124513http://seclists.org/bugtraq/2013/Dec/104http://seclists.org/fulldisclosure/2013/Dec/159http://www.exploit-db.com/exploits/30408http://www.osvdb.org/101187http://www.securityfocus.com/bid/64414https://exchange.xforce.ibmcloud.com/vulnerabilities/89872http://packetstormsecurity.com/files/124513http://seclists.org/bugtraq/2013/Dec/104http://seclists.org/fulldisclosure/2013/Dec/159http://www.exploit-db.com/exploits/30408http://www.osvdb.org/101187http://www.securityfocus.com/bid/64414https://exchange.xforce.ibmcloud.com/vulnerabilities/89872
2013-12-31
Published