Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-5573 — Cross-site Scripting in Jenkins

CWE-79 — Cross-site Scripting CWE-96 — Static Code Injection7 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

1.6%

top 18.10%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Jenkins Jenkins Core

Timeline

PublishedDec 31

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDjenkins/jenkins1.523

▶jenkinsjenkins/jenkins_core

🔴Vulnerability Details

GHSA

Jenkins allows Cross-Site Scripting (XSS) in User Configuration↗2022-05-17

▶

OSV

Jenkins allows Cross-Site Scripting (XSS) in User Configuration↗2022-05-17

▶

💥Exploits & PoCs

Exploit-DB

Jenkins 1.523 - Persistent HTML Code↗2013-12-18

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2014-02-14↗2014-02-14

▶

Red Hat

jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)↗2013-12-16

▶

💬Community

Bugzilla

CVE-2013-5573 jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)↗2013-12-19

▶