XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified crede…
[net.praqma:matrix-reloaded] Jenkins Matrix Reloaded Plugin vulnerable to Stored XSS
Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
References
https://nvd.nist.gov/vuln/…
[com.xebialabs.ci:xlrelease-plugin] Missing permission checks in Jenkins XebiaLabs XL Release Plugin allow capturing credentials
Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, c…
[hudson.plugins:project-inheritance] Jenkins Project Inheritance Plugin vulnerable to cross site scripting
Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked.
Refe…
[net.praqma:matrix-reloaded] Jenkins Matrix Reloaded Plugin vulnerable to CSRF
Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to rebuild previous matrix builds.
References
htt…
[org.jenkins-ci.plugins:plot] Cross-site Scripting in Jenkins Plot Plugin
Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3478…
[org.jenkins-ci.plugins:junit] Cross-site Scripting in Jenkins JUnit Plugin
JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
JUnit Plugin 1119.1121.vc43d0fc45561 app…
[org.jenkins-ci.main:jenkins-core] Cross-site Scripting vulnerability in Jenkins
Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping.
This vulnerability is …
[org.jenkins-ci.main:jenkins-core] Cross-site Scripting vulnerability in Jenkins
Since Jenkins 2.340, symbol-based icons unescape previously escaped values of tooltip parameters.
This vulnerability is known to be exploitable by attackers with Job/Configure permission.
Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulner…
[org.jenkins-ci.main:jenkins-core] Cross-site Scripting vulnerability in Jenkins
Since Jenkins 2.340, the tooltip of the build button in list views supports HTML without escaping the job display name.
This vulnerability is known to be exploitable by attackers with Job/Configure permission.
Jenkins 2.356 addresses this vulnerability…