CVE-2018-1000177 – org.jenkins-ci.plugins:s3

Package

Manager: maven
Name: org.jenkins-ci.plugins:s3
Vulnerable Version: >=0 <0.11.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00058 pctl0.18321

Details

Stored XSS vulnerability in Jenkins S3 Publisher Plugin A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

Metadata

Created: 2022-05-14T03:18:39Z
Modified: 2024-01-30T22:42:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3892-qqv6-h2qm/GHSA-3892-qqv6-h2qm.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-3892-qqv6-h2qm
Finding: F425
Auto approve: 1