CVE-2021-21684 – jenkins-2-plugins/git: stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2021-21684
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. El plugin Git de Jenkins versiones 4.8.2 y anteriores, no escapa a los parámetros de suma de comprobación Git SHA-1 proporcionados a las notificaciones de commit cuando se muestran en una causa de construcción, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado A stored cross-site scripting (XSS) vulnerability was found in the Jenkins Git plugin. Due to not escaping the Git SHA-1 checksum parameters provided to commit notifications, an attacker is able to submit crafted commit notifications to the `/git/notifyCommit` endpoint. • http://www.openwall.com/lists/oss-security/2021/10/06/1 https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499 https://access.redhat.com/security/cve/CVE-2021-21684 https://bugzilla.redhat.com/show_bug.cgi?id=2011949 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •
CVE-2020-2238
https://notcve.org/view.php?id=CVE-2020-2238
Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Jenkins Git Parameter Plugin versiones 0.9.12 y anteriores, no escapan el campo repository en la página "Build with Parameters", resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado que los atacantes pueden explotar con permiso de Job/Configure • http://www.openwall.com/lists/oss-security/2020/09/01/3 https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1884 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2136 – jenkins-git-plugin: stored cross-site scripting
https://notcve.org/view.php?id=CVE-2020-2136
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability. Jenkins Git Plugin versiones 4.2.0 y anteriores, no escapa al mensaje de error de la URL del repositorio para la comprobación del formulario del campo TFS de Microsoft, resultando en una vulnerabilidad de tipo cross-site scripting almacenado. • http://www.openwall.com/lists/oss-security/2020/03/09/1 https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723 https://access.redhat.com/security/cve/CVE-2020-2136 https://bugzilla.redhat.com/show_bug.cgi?id=1819074 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2112
https://notcve.org/view.php?id=CVE-2020-2112
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission. Jenkins Git Parameter Plugin versiones 0.9.11 y anteriores, no escapa al parámetro name que se muestra en la Interfaz de Usuario, resultando en una vulnerabilidad de tipo cross-site scripting almacenado que los usuarios con permiso Job/Configure pueden explotar. • http://www.openwall.com/lists/oss-security/2020/02/12/3 https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1709 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2113
https://notcve.org/view.php?id=CVE-2020-2113
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission. Jenkins Git Parameter Plugin versiones 0.9.11 y anteriores, no escapa al valor predeterminado que se muestra en la Interfaz de Usuario, resultando en una vulnerabilidad de tipo cross-site scripting almacenado que los usuarios con permiso Job/Configure pueden explotar. • http://www.openwall.com/lists/oss-security/2020/02/12/3 https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1709 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •