1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1954

[JENKINS:SECURITY-1954] Stored XSS vulnerability in `uno-choice`

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

uno-choice 2.4 and earlier does not escape the name and description of build parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

uno-choice 2.5 escapes the name of build parameters and applies the configured markup formatter to the description of build parameters.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/uno-choice <= 2.4
pkg:github/jenkinsci/uno-choice-plugin <= 2.4
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/uno-choice = 2.5
pkg:github/jenkinsci/uno-choice-plugin = 2.5
ID
JENKINS:SECURITY-1954
Severity
high
Published
2020-10-08T00:00:00
(4 years ago)
Modified
2020-10-08T00:00:00
(4 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository uno-choice repository https://github.com/jenkinsci/uno-choice-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/uno-choice org.jenkins-ci.plugins uno-choice <= 2.4
Fixed pkg:maven/org.jenkins-ci.plugins/uno-choice org.jenkins-ci.plugins uno-choice = 2.5
Affected pkg:github/jenkinsci/uno-choice-plugin jenkinsci uno-choice-plugin <= 2.4
Fixed pkg:github/jenkinsci/uno-choice-plugin jenkinsci uno-choice-plugin = 2.5
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date