CVE-2020-2257 – org.jenkins-ci.plugins:validating-string-parameter

Package

Manager: maven
Name: org.jenkins-ci.plugins:validating-string-parameter
Vulnerable Version: >=0 <2.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00233 pctl0.4604

Details

Stored XSS vulnerability in Validating String Parameter Plugin Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

Metadata

Created: 2022-05-24T17:28:25Z
Modified: 2022-12-29T01:34:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fvwh-wv43-8qj5/GHSA-fvwh-wv43-8qj5.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-fvwh-wv43-8qj5
Finding: F425
Auto approve: 1