CVE-2018-1000413

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

5.4MEDIUM

EPSS

0.1%

top 77.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Config File Provider

Timeline

PublishedJan 9

Latest updateMay 14

Description

A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶Mavenorg.jenkins-ci.plugins:config-file-provider< 3.2

▶NVDjenkins/config_file_provider3.1

🔴Vulnerability Details

OSV

Stored XSS vulnerability in Config File Provider Plugin↗2022-05-14

▶

GHSA

Stored XSS vulnerability in Config File Provider Plugin↗2022-05-14

▶

CVEList

CVE-2018-1000413: A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3↗2019-01-09

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2018-09-25↗2018-09-25

▶