CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25761 – jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
https://notcve.org/view.php?id=CVE-2023-25761
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin. A flaw was found in the Jenkins JUnit plugin. The affected versions of the JUnit Plugin do not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability. This may allow an attacker to control test case class names in the JUnit resources processed by the plugin. • http://www.openwall.com/lists/oss-security/2023/02/15/4 https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032 https://access.redhat.com/security/cve/CVE-2023-25761 https://bugzilla.redhat.com/show_bug.cgi?id=2170039 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45380 – jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin
https://notcve.org/view.php?id=CVE-2022-45380
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Jenkins JUnit Plugin 1159.v0b_396e1e07dd y versiones anteriores convierten las URL HTTP(S) en la salida del informe de prueba en enlaces en los que se puede hacer clic de manera insegura, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenada que pueden explotar los atacantes con permiso Item/Configure. A flaw was found in the JUnit Jenkins Plugin. The affected version of the JUnit plugin converts HTTP(S) URLs in test report output to clickable links, which leads to a stored Cross-site scripting (XSS) attack. • http://www.openwall.com/lists/oss-security/2022/11/15/4 https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888 https://access.redhat.com/security/cve/CVE-2022-45380 https://bugzilla.redhat.com/show_bug.cgi?id=2143086 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34176 – jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin
https://notcve.org/view.php?id=CVE-2022-34176
Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. Jenkins JUnit Plugin versiones 1119.va_a_5e9068da_d7 y anteriores, no escapa a las descripciones de los resultados de las pruebas, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado, explotable por atacantes con permiso Run/Update A flaw was found in the JUnit Jenkins plugin. The manipulation with an unknown input leads to a Cross-site scripting vulnerability, impacting the integrity. This flaw allows an attacker to inject arbitrary HTML and script code into the website. • https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2760 https://access.redhat.com/security/cve/CVE-2022-34176 https://bugzilla.redhat.com/show_bug.cgi?id=2103548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000411
https://notcve.org/view.php?id=CVE-2018-1000411
A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) existe en Jenkins JUnit Plugin, en sus versiones 1.25 y anteriores, en TestObject.java que permite la configuración de la descripción de un resultado de prueba. • http://www.securityfocus.com/bid/106532 https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000056
https://notcve.org/view.php?id=CVE-2018-1000056
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. Jenkins JUnit Plugin, en versiones 1.23 y anteriores, procesa entidades externas XML en archivos que analiza como parte del proceso de construcción. Esto permite que atacantes con permisos de usuario en Jenkins extraigan secretos del directorio de inicio del servidor maestro de Jenkins, realicen Server-Side Request Forgery o ataques de denegación de servicio (DoS). • https://jenkins.io/security/advisory/2018-02-05 • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •