Jenkins Config File Provider Plugin XSS vulnerability
Moderate severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Jan 9, 2024
Package
Affected versions
< 3.5
Patched versions
3.5
Description
Published by the National Vulnerability Database
Feb 6, 2019
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Jan 9, 2024
Last updated
Jan 9, 2024
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file.
References