CVE-2022-29037Cross-site Scripting in Project Jenkins CVS Plugin

CWE-79Cross-site Scripting5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
29.6%
top 3.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins CVS PluginJenkins CVS
Timeline
PublishedApr 12
Latest updateApr 13

Description

Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_cvs_pluginunspecified2.19
NVDjenkins/cvs2.19

🔴Vulnerability Details

3
GHSA
Stored XSS in Jenkins CVS Plugin2022-04-13
OSV
Stored XSS in Jenkins CVS Plugin2022-04-13
CVEList
CVE-2022-29037: Jenkins CVS Plugin 22022-04-12

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-04-122022-04-12
CVE-2022-29037 — Cross-site Scripting | cvebase