CVE-2020-2106

CWE-79 — Cross-site Scripting (XSS)9 documents7 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 53.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Code Coverage API Plugin Jenkins Code Coverage API

Timeline

PublishedJan 29

Latest updateMay 24

Description

Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Mavenio.jenkins.plugins:code-coverage-api< 1.1.3

▶CVEListV5jenkins_project/jenkins_code_coverage_api_pluginunspecified — 1.1.2

▶NVDjenkins/code_coverage_api1.1.2

🔴Vulnerability Details

OSV

Stored XSS vulnerability in Code Coverage API Plugin↗2022-05-24

▶

GHSA

Stored XSS vulnerability in Code Coverage API Plugin↗2022-05-24

▶

CVEList

CVE-2020-2106: Jenkins Code Coverage API Plugin 1↗2020-01-29

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2020-01-29↗2020-01-29

▶

💬Community

Bugzilla

CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure↗2020-03-11

▶

Bugzilla

CVE-2020-1724 keycloak: problem with privacy after user logout↗2020-02-07

▶

Bugzilla

CVE-2020-1718 keycloak: security issue on reset credential flow↗2020-01-31

▶