1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-3006

[JENKINS:SECURITY-3006] Stored XSS vulnerability in `qualys-pc`

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

qualys-pc 1.0.5 and earlier does not escape Qualys API responses displayed on the job configuration page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

qualys-pc 1.0.6 escapes Qualys API responses displayed on the job configuration page.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/qualys-pc <= 1.0.5
pkg:github/jenkinsci/qualys-pc-plugin <= 1.0.5
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/qualys-pc = 1.0.6
pkg:github/jenkinsci/qualys-pc-plugin = 1.0.6
ID
JENKINS:SECURITY-3006
Severity
high
Published
2024-01-24T00:00:00
(7 months ago)
Modified
2024-01-24T00:00:00
(7 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository qualys-pc repository https://github.com/jenkinsci/qualys-pc-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/qualys-pc org.jenkins-ci.plugins qualys-pc <= 1.0.5
Fixed pkg:maven/org.jenkins-ci.plugins/qualys-pc org.jenkins-ci.plugins qualys-pc = 1.0.6
Affected pkg:github/jenkinsci/qualys-pc-plugin jenkinsci qualys-pc-plugin <= 1.0.5
Fixed pkg:github/jenkinsci/qualys-pc-plugin jenkinsci qualys-pc-plugin = 1.0.6
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date