CVE-2022-36902 – com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter

Package

Manager: maven
Name: com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter
Vulnerable Version: >=0 <=1.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.20595 pctl0.95361

Details

Stored XSS vulnerability in Jenkins Dynamic Extended Choice Parameter plugin Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape several fields of Moded Extended Choice parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Metadata

Created: 2022-07-28T00:00:42Z
Modified: 2022-12-09T18:17:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-jvvx-hmmr-rhgg/GHSA-jvvx-hmmr-rhgg.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-jvvx-hmmr-rhgg
Finding: F425
Auto approve: 1