[MAVEN:GHSA-W3PJ-V9JR-V2WC] Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting.

This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form.

CloudBees CD Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/electricflow	<= 1.1.6

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/electricflow	= 1.1.7

ID

MAVEN:GHSA-W3PJ-V9JR-V2WC

Severity

moderate

URL

https://github.com/advisories/GHSA-w3pj-v9jr-v2wc

Published

2022-05-24T16:47:43
(2 years ago)

Modified

2023-12-22T10:55:02
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-1420

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2019-10336
			https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1420
			http://www.openwall.com/lists/oss-security/2019/06/11/1
			https://web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747
			https://github.com/jenkinsci/electricflow-plugin/commit/4550f86e75e0927be644958ed088e4fa82c783b7
			https://github.com/advisories/GHSA-w3pj-v9jr-v2wc

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/electricflow	org.jenkins-ci.plugins	electricflow	<= 1.1.6
Fixed	pkg:maven/org.jenkins-ci.plugins/electricflow	org.jenkins-ci.plugins	electricflow	= 1.1.7

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date