Stored Cross-Site Scripting Vulnerability in Jenkins Job Configuration History Plugin
CVE-2023-41931

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Job Configuration History Plugin
Vendor: CVE Published:; 6 September 2023

Summary

The Job Configuration History Plugin for Jenkins, specifically versions up to 1227.v7a_79fc4dc01f, is susceptible to a stored cross-site scripting (XSS) vulnerability. This arises because the plugin fails to properly sanitize or escape timestamp values from history entries when these entries are displayed in the history view. This oversight allows attackers to inject malicious scripts that can be executed in the browsers of users viewing the affected history entries.

Affected Version(s)

Jenkins Job Configuration History Plugin 0 <= 1227.v7a_79fc4dc01f

References

https://www.jenkins.io/security/advisory/2023-09-06/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/06/9

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 6, 2023
Vulnerability Reserved
Sep 5, 2023