CVE-2021-21700 – org.jenkins-ci.plugins:scriptler

Package

Manager: maven
Name: org.jenkins-ci.plugins:scriptler
Vulnerable Version: >=0 <3.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.2585 pctl0.96064

Details

Stored XSS vulnerability in Jenkins Scriptler Plugin Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts. Jenkins Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.

Metadata

Created: 2022-05-24T19:20:33Z
Modified: 2023-10-27T16:09:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f9gf-2q87-5m44/GHSA-f9gf-2q87-5m44.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-f9gf-2q87-5m44
Finding: F425
Auto approve: 1