cbcvebase.
CVE-2024-54003
published 2024-11-27

CVE-2024-54003: Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by…

PriorityP356high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
77.46%
99.5th percentile
Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.

Affected

7 ranges
VendorProductVersion rangeFixed in
jenkinsfilesystem_list_parameter_plugin
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_weekly
jenkinssimple_queue<= 1.4.4
jenkinssimple_queue_plugin
jenkins_projectjenkins_simple_queue_plugin<= 1.4.4

Detection & IOCsextracted from sources · hover to see the quote

  • Stored XSS vulnerability in Jenkins Simple Queue Plugin 1.4.4 and earlier — triggered via unescaped view name, exploitable by attackers with View/Create permission
  • ·Vulnerability is limited to attackers who already hold View/Create permission in Jenkins; privilege escalation from that role is the attack vector
  • ·Simple Queue Plugin 1.4.5 remediates the issue by escaping the view name; any instance still running 1.4.4 or earlier remains vulnerable
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.