CVE-2023-25761

2023-02-1514:15:13

CWE-79

[email protected]

web.nvd.nist.gov

164

cve-2023-25761

jenkins

junit plugin

cross-site scripting

xss

javascript

security vulnerability

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

32.4%

JSON

Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.

Affected configurations

NVD

Node

jenkinsjunitRange≤1166.va_436e268e972jenkins

CPENameOperatorVersion
jenkins:junitjenkins junitle1166.va_436e268e972

CPE	Name	Operator	Version
jenkins:junit	jenkins junit	le	1166.va_436e268e972

CNA Affected

[
  {
    "product": "Jenkins JUnit Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "1166.va_436e268e972",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "1119.1124.va_a_8ccde5658f"
      }
    ]
  }
]