Stored Cross-Site Scripting Flaw in Jenkins with Toad Edge Plugin
CVE-2022-28145

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Continuous Integration With Toad Edge Plugin
Vendor: CVE Published:; 29 March 2022

Summary

The Jenkins Continuous Integration platform, when used with the Toad Edge Plugin version 2.3 and earlier, is vulnerable to a stored cross-site scripting (XSS) attack. This vulnerability arises due to the absence of Content-Security-Policy headers in the report files served by Jenkins, allowing attackers with Item/Configure permissions, or those able to manipulate report contents, to inject malicious scripts. Exploiting this vulnerability can compromise the integrity of user data and affect web application security.

Affected Version(s)

Jenkins Continuous Integration with Toad Edge Plugin <= 2.3

References

https://www.jenkins.io/security/advisory/2022-03-29/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/03/29/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 29, 2022
Vulnerability Reserved
Mar 29, 2022