[MAVEN:GHSA-5X89-75R7-8RJH] XSS vulnerability in Jenkins useMango Runner Plugin

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Multiple form validation endpoints in useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service.

This results in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.

useMango Runner Plugin 1.5 escapes all values received from the useMango service in form validation messages.

Package	Affected Version
pkg:maven/it.infuse.jenkins/usemango-runner	< 1.5

Package	Fixed Version
pkg:maven/it.infuse.jenkins/usemango-runner	= 1.5

ID

MAVEN:GHSA-5X89-75R7-8RJH

Severity

moderate

URL

https://github.com/advisories/GHSA-5x89-75r7-8rjh

Published

2022-05-24T17:13:39
(2 years ago)

Modified

2023-01-29T05:01:02
(19 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2020-2176
			https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1780
			http://www.openwall.com/lists/oss-security/2020/04/07/3
			https://github.com/advisories/GHSA-5x89-75r7-8rjh

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/it.infuse.jenkins/usemango-runner	it.infuse.jenkins	usemango-runner	< 1.5
Fixed	pkg:maven/it.infuse.jenkins/usemango-runner	it.infuse.jenkins	usemango-runner	= 1.5

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date