CVE-2018-1000177 — Cross-site Scripting in Jenkins S3 Publisher

CWE-79 — Cross-site Scripting5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 81.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jenkins S3 Publisher
Timeline
PublishedMay 8
Latest updateMay 14

Description

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

â–¶NVDjenkins/s3_publisher0.10.12

🔴Vulnerability Details

3
GHSA
Stored XSS vulnerability in Jenkins S3 Publisher Plugin↗2022-05-14
â–¶
OSV
Stored XSS vulnerability in Jenkins S3 Publisher Plugin↗2022-05-14
â–¶
CVEList
CVE-2018-1000177: A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0↗2018-05-08
â–¶

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2018-04-16↗2018-04-16
â–¶
CVE-2018-1000177 — Cross-site Scripting in Jenkins | cvebase