CVE-2020-2106
MEDIUM5.4EPSS 0.19%Stored XSS vulnerability in Code Coverage API Plugin
Published: 5/24/2022Modified: 2/16/2024
Description
Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration. Code Coverage API Plugin 1.1.3 escapes the filename of the coverage report used in its view.
Affected packages (1)
- Maven/io.jenkins.plugins:code-coverage-apifrom 0, < 1.1.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2106
- PATCHhttps://github.com/jenkinsci/code-coverage-api-plugin
- WEBhttps://github.com/jenkinsci/code-coverage-api-plugin/commit/24921da6d625c4deb259049446dc2b45b1da4603
- WEBhttps://jenkins.io/security/advisory/2020-01-29/#SECURITY-1680
- WEBhttp://www.openwall.com/lists/oss-security/2020/01/29/1