1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1728-2

[JENKINS:SECURITY-1728-2] Reflected XSS vulnerability in `vncrecorder`

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

vncrecorder 1.25 and earlier does not escape a parameter value in the checkVncServ form validation endpoint output.

This results in a reflected cross-site scripting (XSS) vulnerability.

vncrecorder 1.35 escapes the parameter value in the output.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/vncrecorder <= 1.25
pkg:github/jenkinsci/vncrecorder-plugin <= 1.25
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/vncrecorder = 1.35
pkg:github/jenkinsci/vncrecorder-plugin = 1.35
ID
JENKINS:SECURITY-1728-2
Severity
medium
Published
2020-07-02T00:00:00
(4 years ago)
Modified
2020-07-02T00:00:00
(4 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository vncrecorder repository https://github.com/jenkinsci/vncrecorder-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/vncrecorder org.jenkins-ci.plugins vncrecorder <= 1.25
Fixed pkg:maven/org.jenkins-ci.plugins/vncrecorder org.jenkins-ci.plugins vncrecorder = 1.35
Affected pkg:github/jenkinsci/vncrecorder-plugin jenkinsci vncrecorder-plugin <= 1.25
Fixed pkg:github/jenkinsci/vncrecorder-plugin jenkinsci vncrecorder-plugin = 1.35
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date