Cross-Site Scripting Vulnerability in Woodpecker CI
CVE-2022-29947

6.1MEDIUM

Key Information:

Vendor: Woodpecker-ci
Status: Woodpecker
Vendor: CVE Published:; 29 April 2022

What is CVE-2022-29947?

Woodpecker CI prior to version 0.15.1 is susceptible to a Cross-Site Scripting (XSS) attack due to improper escaping in the build log functionality. The vulnerability arises from the lack of input validation in the build logs, specifically within the build/BuildLog.vue component. This oversight allows an attacker to inject malicious scripts, potentially compromising user sessions and accessing sensitive information.

References

https://github.com/woodpecker-ci/woodpecker/releases/tag/...

x_refsource_MISC

https://github.com/woodpecker-ci/woodpecker/pull/879

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 29, 2022
Vulnerability Reserved
Apr 29, 2022

Woodpecker-ci

What is CVE-2022-29947?

References

CVSS V3.1

Timeline