CVE-2023-35145Cross-site Scripting in Project Jenkins Sonargraph Integration Plugin

CWE-79Cross-site Scripting5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.6%
top 31.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Jenkins Project Jenkins Sonargraph Integration PluginJenkins Sonargraph IntegrationJenkins AWS Codecommit Trigger Plugin+10 more
Timeline
PublishedJun 14

Description

Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages13 packages

🔴Vulnerability Details

2
GHSA
Jenkins Sonargraph Integration Plugin vulnerable to Stored Cross-site Scripting2023-06-14
OSV
Jenkins Sonargraph Integration Plugin vulnerable to Stored Cross-site Scripting2023-06-14

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2023-06-142023-06-14
Red Hat
jenkins-2-plugins: sonargraph-integration: Stored XSS vulnerability in Sonargraph Integration Plugin2023-06-14