CVE-2020-2176 – it.infuse.jenkins:usemango-runner

Package

Manager: maven
Name: it.infuse.jenkins:usemango-runner
Vulnerable Version: >=0 <1.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00207 pctl0.43199

Details

XSS vulnerability in Jenkins useMango Runner Plugin Multiple form validation endpoints in useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service. useMango Runner Plugin 1.5 escapes all values received from the useMango service in form validation messages.

Metadata

Created: 2022-05-24T17:13:39Z
Modified: 2022-12-20T19:24:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5x89-75r7-8rjh/GHSA-5x89-75r7-8rjh.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-5x89-75r7-8rjh
Finding: F008
Auto approve: 1