CVE-2022-27197

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 64.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Dashboard View Jenkins Project Jenkins Dashboard View Plugin

Timeline

PublishedMar 15

Latest updateMar 16

Description

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:dashboard-view< 2.18.1

▶CVEListV5jenkins_project/jenkins_dashboard_view_pluginunspecified — 2.18

▶NVDjenkins/dashboard_view< 2.18.1

🔴Vulnerability Details

OSV

Stored Cross-site Scripting vulnerability in Jenkins Dashboard View Plugin↗2022-03-16

▶

GHSA

Stored Cross-site Scripting vulnerability in Jenkins Dashboard View Plugin↗2022-03-16

▶

CVEList

CVE-2022-27197: Jenkins Dashboard View Plugin 2↗2022-03-15

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-03-15↗2022-03-15

▶