CVE-2019-10336 – org.jenkins-ci.plugins:electricflow

Package

Manager: maven
Name: org.jenkins-ci.plugins:electricflow
Vulnerable Version: >=0 <1.1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00077 pctl0.23709

Details

Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting. This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form. CloudBees CD Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms.

Metadata

Created: 2022-05-24T16:47:43Z
Modified: 2023-10-26T22:21:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w3pj-v9jr-v2wc/GHSA-w3pj-v9jr-v2wc.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-w3pj-v9jr-v2wc
Finding: F008
Auto approve: 1