CVE-2019-10402 — Cross-site Scripting in Jenkins

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 43.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Project Jenkins

Timeline

PublishedSep 25

Latest updateMay 24

Description

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDjenkins/jenkins2.176.3+1

▶CVEListV5jenkins_project/jenkins2.196 and earlier, LTS 2.176.3 and earlier

🔴Vulnerability Details

GHSA

Improper Neutralization of Input During Web Page Generation in Jenkins↗2022-05-24

▶

OSV

Improper Neutralization of Input During Web Page Generation in Jenkins↗2022-05-24

▶

CVEList

CVE-2019-10402: In Jenkins 2↗2019-09-25

▶

📋Vendor Advisories

Red Hat

jenkins: XSS vulnerability in combobox form control↗2019-09-25

▶

Jenkins

Jenkins Security Advisory 2019-09-25↗2019-09-25

▶

💬Community

Bugzilla

CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]↗2019-10-23

▶

Bugzilla

CVE-2019-10402 jenkins: XSS vulnerability in combobox form control↗2019-10-22

▶