CVE-2019-10336 — Cross-site Scripting in Jenkins Electricflow

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 80.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Electricflow Jenkins Project Jenkins Electricflow Plugin

Timeline

PublishedJun 11

Latest updateMay 24

Description

A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this plugin.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_electricflow_plugin1.1.6 and earlier

▶NVDjenkins/electricflow1.1.6

🔴Vulnerability Details

OSV

Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability↗2022-05-24

▶

GHSA

Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability↗2022-05-24

▶

CVEList

CVE-2019-10336: A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1↗2019-06-11

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-06-11↗2019-06-11

▶