CVE-2021-21667

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 52.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Scriptler Plugin Jenkins Scriptler

Timeline

PublishedJun 16

Latest updateJan 6

Description

Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:scriptler< 3.3

▶CVEListV5jenkins_project/jenkins_scriptler_pluginunspecified — 3.2

▶NVDjenkins/scriptler3.2

🔴Vulnerability Details

GHSA

Stored XSS vulnerability in Jenkins Scriptler Plugin↗2022-01-06

▶

OSV

Stored XSS vulnerability in Jenkins Scriptler Plugin↗2022-01-06

▶

CVEList

CVE-2021-21667: Jenkins Scriptler Plugin 3↗2021-06-16

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2021-06-16↗2021-06-16

▶