CVE-2019-10335 – org.jenkins-ci.plugins:electricflow

Package

Manager: maven
Name: org.jenkins-ci.plugins:electricflow
Vulnerable Version: >=0 <1.1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00069 pctl0.21778

Details

Jenkins ElectricFlow Plugin is vulnerable to stored cross site scripting vulnerability The plugin adds metadata displayed on build pages during its operations. Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and JavaScript on Jenkins build pages. Build metadata is now filtered through a HTML formatter that only allows showing basic HTML, neutralizing any unsafe data. Additionally, all builds executed after the security update is applied will now properly escape content received from ElectricFlow.

Metadata

Created: 2022-05-24T16:47:43Z
Modified: 2023-10-26T22:19:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fx9p-2qvx-pgjv/GHSA-fx9p-2qvx-pgjv.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-fx9p-2qvx-pgjv
Finding: F425
Auto approve: 1