Stored Cross-Site Scripting in Jenkins Contrast Continuous Application Security Plugin
CVE-2022-43420

5.4MEDIUM

What is CVE-2022-43420?

The Jenkins Contrast Continuous Application Security Plugin versions up to 3.9 exhibits a vulnerability where it fails to properly escape data returned from the Contrast service. This oversight allows for stored cross-site scripting (XSS) attacks that can be exploited by attackers who have the ability to manipulate the responses from the Contrast service API. When users generate reports, the unescaped data can lead to executed scripts, potentially compromising user interactions and sensitive information.

Affected Version(s)

Jenkins Contrast Continuous Application Security Plugin <= 3.9

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.