CVE-2019-10403 — Cross-site Scripting in Jenkins

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 43.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Project Jenkins

Timeline

PublishedSep 25

Latest updateMay 24

Description

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDjenkins/jenkins2.176.3+1

▶CVEListV5jenkins_project/jenkins2.196 and earlier, LTS 2.176.3 and earlier

🔴Vulnerability Details

OSV

Improper Neutralization of Input During Web Page Generation in Jenkins↗2022-05-24

▶

GHSA

Improper Neutralization of Input During Web Page Generation in Jenkins↗2022-05-24

▶

CVEList

CVE-2019-10403: Jenkins 2↗2019-09-25

▶

📋Vendor Advisories

Red Hat

jenkins: Stored XSS vulnerability in SCM tag action tooltip↗2019-09-25

▶

Jenkins

Jenkins Security Advisory 2019-09-25↗2019-09-25

▶

💬Community

Bugzilla

CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]↗2019-10-23

▶

Bugzilla

CVE-2019-10403 jenkins: Stored XSS vulnerability in SCM tag action tooltip↗2019-10-22

▶