CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2222 – jenkins: Stored XSS vulnerability in 'keep forever' badge icons
https://notcve.org/view.php?id=CVE-2020-2222
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability. Jenkins versiones 2.244 y anteriores, LTS versiones 2.235.1 y anteriores, no escapan el nombre del trabajo en la información sobre herramientas de la insignia "Keep this build forever", resultando en una vulnerabilidad de tipo cross-site scripting almacenado A flaw was found in jenkins in versions prior to 2.244 and versions prior to LTS 2.235.1. Job names in the 'Keep this build forever' badge tooltip are not properly escaped which results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • http://www.openwall.com/lists/oss-security/2020/07/15/5 https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1902 https://access.redhat.com/security/cve/CVE-2020-2222 https://bugzilla.redhat.com/show_bug.cgi?id=1857431 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2163
https://notcve.org/view.php?id=CVE-2020-2163
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y anteriores, procesan inapropiadamente el contenido HTML de los encabezados de columna de visualización de lista, resultando en una vulnerabilidad de tipo XSS almacenado explotable por usuarios capaces de controlar encabezados de columna. • http://www.openwall.com/lists/oss-security/2020/03/25/2 https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1796 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2162
https://notcve.org/view.php?id=CVE-2020-2162
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y anteriores, no establecen encabezados Content-Security-Policy para los archivos cargados como parámetros de archivo en una compilación, resultando en una vulnerabilidad de tipo XSS almacenado. • http://www.openwall.com/lists/oss-security/2020/03/25/2 https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2160
https://notcve.org/view.php?id=CVE-2020-2160
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y anteriores, usan diferentes representaciones de rutas URL de petición, lo cual permite a atacantes diseñar una URL que permite la omisión de la protección de CSRF de cualquier URL objetivo. • http://www.openwall.com/lists/oss-security/2020/03/25/2 https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2161
https://notcve.org/view.php?id=CVE-2020-2161
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y versiones anteriores, no se escapan apropiadamente las etiquetas de nodo que son mostradas en la comprobación del formulario para las expresiones de etiqueta en las páginas de configuración del trabajo, resultando en una vulnerabilidad de tipo XSS almacenado explotable por usuarios capaces de definir etiquetas de nodo. • http://www.openwall.com/lists/oss-security/2020/03/25/2 https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •