logo

Database

Server side cross-site scripting In io.jenkins.plugins:coverage

Description

Jenkins Coverage Plugin has a stored cross-site scripting (XSS) vulnerability Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-676412. NVD-2025-676413. OSV-2025-676414. GCVE-2025-67641

References

1. https://github.com/jenkinsci/coverage-plugin/commit/1dfe888b02499d39185397862cf2790efc03e9552. https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3611

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.