GHSA-xg77-xqhq-crpr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xg77-xqhq-crpr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xg77-xqhq-crpr/GHSA-xg77-xqhq-crpr.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-xg77-xqhq-crpr
- Aliases
- Published
- 2022-05-24T17:07:41Z
- Modified
- 2024-01-02T05:49:11.575329Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Stored XSS vulnerability in Code Coverage API Plugin
- Details
-
Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view.
This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration.
Code Coverage API Plugin 1.1.3 escapes the filename of the coverage report used in its view.
- Database specific
{ "nvd_published_at": "2020-01-29T16:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-19T21:14:50Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-2106
- https://github.com/jenkinsci/code-coverage-api-plugin/commit/24921da6d625c4deb259049446dc2b45b1da4603
- https://github.com/jenkinsci/code-coverage-api-plugin
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1680
- http://www.openwall.com/lists/oss-security/2020/01/29/1
Affected packages
Maven / io.jenkins.plugins:code-coverage-api
Package
- Name
- io.jenkins.plugins:code-coverage-api
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins.plugins/code-coverage-api
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.1.3