Stored Cross-Site Scripting Vulnerability in Jenkins ElectricFlow Plugin
CVE-2019-10335

5.4MEDIUM

Key Information:

Vendor

Jenkins
Status
Jenkins Electricflow Plugin
Vendor
CVE Published:
11 June 2019

What is CVE-2019-10335?

A stored cross-site scripting vulnerability exists in the Jenkins ElectricFlow Plugin 1.1.5 and prior versions. This security flaw allows attackers with job configuration permissions in Jenkins or control over the ElectricFlow API output to inject arbitrary HTML and JavaScript. Consequently, malicious scripts can execute in users' browsers when they interact with affected build status pages, potentially leading to unauthorized access or data manipulation.

Affected Version(s)

Jenkins ElectricFlow Plugin 1.1.5 and earlier

References

http://www.openwall.com/lists/oss-security/2019/06/11/1
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/108747
vdb-entryx_refsource_BID
https://jenkins.io/security/advisory/2019-06-11/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.