global-build-stats is vulnerable to reflected cross-site scripting (XSS) attacks. These attacks are possible because some URLs return JSON as Content Type: text/html
. This content may be interpreted by clients as HTML allowing XSS to be performed. Cross-site request forgery (CSRF) attacks are also possible because some URLs don’t require POST requests to modify data.
CPE | Name | Operator | Version |
---|---|---|---|
hudson global-build-stats plugin | le | 1.0 |