Stored XSS vulnerability in Validating String Parameter Plugin

2022-05-2417:28:25

Google

osv.dev

0.001 Low

EPSS

Percentile

22.0%

JSON

Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

CPENameOperatorVersion
org.jenkins-ci.plugins:validating-string-parametereq2.4
org.jenkins-ci.plugins:validating-string-parametereq2.3
org.jenkins-ci.plugins:validating-string-parametereq2.0
org.jenkins-ci.plugins:validating-string-parametereq2.2
org.jenkins-ci.plugins:validating-string-parametereq2.1

Name	Operator	Version
org.jenkins-ci.plugins:validating-string-parameter	eq	2.4
org.jenkins-ci.plugins:validating-string-parameter	eq	2.3
org.jenkins-ci.plugins:validating-string-parameter	eq	2.0
org.jenkins-ci.plugins:validating-string-parameter	eq	2.2
org.jenkins-ci.plugins:validating-string-parameter	eq	2.1