CVE-2020-2106 – io.jenkins.plugins:code-coverage-api

Package

Manager: maven
Name: io.jenkins.plugins:code-coverage-api
Vulnerable Version: >=0 <1.1.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00233 pctl0.4603

Details

Stored XSS vulnerability in Code Coverage API Plugin Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration. Code Coverage API Plugin 1.1.3 escapes the filename of the coverage report used in its view.

Metadata

Created: 2022-05-24T17:07:41Z
Modified: 2022-12-19T21:14:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xg77-xqhq-crpr/GHSA-xg77-xqhq-crpr.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-xg77-xqhq-crpr
Finding: F425
Auto approve: 1