Stored Cross-Site Scripting in Jenkins ECharts API Plugin by CloudBees
CVE-2020-2194

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Echarts Api Plugin
Vendor: CVE Published:; 3 June 2020

What is CVE-2020-2194?

The Jenkins ECharts API Plugin versions 4.7.0-3 and earlier are susceptible to a stored cross-site scripting vulnerability. This arises from the failure to properly escape the display name of builds in the trend chart. An attacker could exploit this flaw by injecting malicious scripts that would be executed in the context of users viewing the chart, potentially leading to unauthorized access or data theft.

Affected Version(s)

Jenkins ECharts API Plugin <= 4.7.0-3

References

https://jenkins.io/security/advisory/2020-06-03/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/06/03/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2020
Vulnerability Reserved
Dec 5, 2019