Reflected Cross Site Scripting Vulnerability in Jenkins ElectricFlow Plugin
CVE-2019-10336

6.1MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Electricflow Plugin
Vendor
CVE Published:
11 June 2019

Summary

The Jenkins ElectricFlow Plugin, specifically versions 1.1.6 and earlier, is susceptible to a reflected cross site scripting (XSS) vulnerability. This issue arises when an attacker is able to manipulate the output from the ElectricFlow API, allowing the perpetrator to inject arbitrary HTML and JavaScript code into job configuration forms. This can lead to unauthorized actions on behalf of users who are tricked into interacting with the compromised forms, posing significant security risks to affected environments.

Affected Version(s)

Jenkins ElectricFlow Plugin 1.1.6 and earlier

References

http://www.openwall.com/lists/oss-security/2019/06/11/1
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/108747
vdb-entryx_refsource_BID
https://jenkins.io/security/advisory/2019-06-11/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.