Stored XSS Vulnerability in Jenkins Scriptler Plugin
CVE-2021-21700

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Scriptler Plugin
Vendor: CVE Published:; 12 November 2021

Summary

The Jenkins Scriptler Plugin version 3.3 and earlier allows stored cross-site scripting (XSS) vulnerabilities due to improper handling of script names within the user interface. When users are prompted to confirm deletion of scripts, the names are not correctly escaped, enabling attackers to create malicious Scriptler scripts. This can lead to the execution of arbitrary JavaScript code in the context of victims' sessions, posing security risks that can compromise user data and application integrity. It is crucial for users of the affected plugin to update their installations to mitigate this risk.

Affected Version(s)

Jenkins Scriptler Plugin <= 3.3

References

https://www.jenkins.io/security/advisory/2021-11-12/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2021/11/12/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 12, 2021
Vulnerability Reserved
Jan 4, 2021