CVE-2022-41239

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

5.4MEDIUM

EPSS

12.4%

top 6.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Dotci Plugin Jenkins Dotci

Timeline

PublishedSep 21

Latest updateSep 22

Description

Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_dotci_pluginunspecified — 2.40.00

▶Mavencom.groupon.jenkins-ci.plugins:DotCi2.40.00

▶NVDjenkins/dotci2.40.00

🔴Vulnerability Details

GHSA

Stored XSS vulnerability in Jenkins DotCi Plugin↗2022-09-22

▶

OSV

Stored XSS vulnerability in Jenkins DotCi Plugin↗2022-09-22

▶

CVEList

CVE-2022-41239: Jenkins DotCi Plugin 2↗2022-09-21

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-09-21↗2022-09-21

▶