Stored XSS vulnerability in Jenkins Scriptler Plugin
Moderate severity
GitHub Reviewed
Published
Jan 6, 2022
to the GitHub Advisory Database
•
Updated Dec 26, 2023
Description
Published by the National Vulnerability Database
Jun 16, 2021
Reviewed
Jun 17, 2021
Published to the GitHub Advisory Database
Jan 6, 2022
Last updated
Dec 26, 2023
Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
Jenkins Scriptler Plugin 3.3 escapes parameter names shown in job configuration forms.
References