CVE-2020-2243 — Cross-site Scripting in Project Jenkins Cadence Vmanager Plugin

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 53.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Cadence Vmanager Plugin Jenkins Cadence Vmanager

Timeline

PublishedSep 1

Latest updateMay 24

Description

Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_cadence_vmanager_pluginunspecified — 3.0.4

▶NVDjenkins/cadence_vmanager3.0.4

🔴Vulnerability Details

GHSA

Stored XSS vulnerability in Jenkins Cadence vManager Plugin↗2022-05-24

▶

OSV

Stored XSS vulnerability in Jenkins Cadence vManager Plugin↗2022-05-24

▶

CVEList

CVE-2020-2243: Jenkins Cadence vManager Plugin 3↗2020-09-01

▶

💥Exploits & PoCs

Exploit-DB

Fishing Reservation System 7.5 - 'uid' SQL Injection↗2020-05-05

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2020-09-01↗2020-09-01

▶