CVE-2019-10396

MEDIUM5.4EPSS 0.10%

Jenkins Dashboard View Plugin vulnerable to Cross-site Scripting

Published: 5/24/2022Modified: 2/16/2024

Description

Dashboard View Plugin did not escape the build description on the Latest Builds View. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the description of builds shown on that view. Dashboard View Plugin now applies the configured markup formatter to the build description, rendering it as it appears elsewhere in Jenkins.

Affected packages (1)

Maven/org.jenkins-ci.plugins:dashboard-viewfrom 0, < 2.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10396
WEBhttps://github.com/jenkinsci/dashboard-view-plugin/commit/115238da2a8899358b32ee14e7076df23747d6c9
WEBhttps://jenkins.io/security/advisory/2019-09-12/#SECURITY-1489
WEBhttp://www.openwall.com/lists/oss-security/2019/09/12/2