CVE-2023-25761

CWE-79Cross-site Scripting (XSS)7 documents7 sources
Severity
5.4MEDIUM
EPSS
1.8%
top 17.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Junit PluginJenkins Junit
Timeline
PublishedFeb 15

Description

Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

Mavenorg.jenkins-ci.plugins:junit< 1166.1168.vd6b_8042a_06de
CVEListV5jenkins_project/jenkins_junit_pluginunspecified1166.va_436e268e972
NVDjenkins/junit1166.va_436e268e972

🔴Vulnerability Details

3
CVEList
CVE-2023-25761: Jenkins JUnit Plugin 11662023-02-15
GHSA
Cross-site Scripting in Jenkins JUnit Plugin2023-02-15
OSV
Cross-site Scripting in Jenkins JUnit Plugin2023-02-15

📋Vendor Advisories

3
Red Hat
jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin2023-02-15
Jenkins
Jenkins Security Advisory 2023-02-152023-02-15
Microsoft
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by atta2023-02-14
CVE-2023-25761 (MEDIUM CVSS 5.4) | Jenkins JUnit Plugin 1166.va_436e26 | cvebase.io