CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jenkins : Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-21700 79 XSS 2021-11-12 2021-11-17
3.5
None Remote Medium ??? None Partial None
Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.
2 CVE-2021-21699 79 XSS 2021-11-12 2021-11-17
3.5
None Remote Medium ??? None Partial None
Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
3 CVE-2021-21668 79 XSS 2021-06-16 2021-06-22
3.5
None Remote Medium ??? None Partial None
Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
4 CVE-2021-21667 79 XSS 2021-06-16 2021-06-22
3.5
None Remote Medium ??? None Partial None
Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
5 CVE-2021-21660 79 XSS 2021-05-25 2021-06-01
3.5
None Remote Medium ??? None Partial None
Jenkins Markdown Formatter Plugin 0.1.0 and earlier does not sanitize crafted link target URLs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup formatter.
6 CVE-2021-21650 862 +Info 2021-05-11 2021-05-19
3.5
None Remote Medium ??? Partial None None
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled.
7 CVE-2021-21649 79 XSS 2021-05-11 2021-05-14
3.5
None Remote Medium ??? None Partial None
Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
8 CVE-2021-21635 79 XSS 2021-03-30 2021-04-05
3.5
None Remote Medium ??? None Partial None
Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
9 CVE-2021-21630 79 XSS 2021-03-30 2021-04-02
3.5
None Remote Medium ??? None Partial None
Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
10 CVE-2021-21628 79 XSS 2021-03-30 2021-04-02
3.5
None Remote Medium ??? None Partial None
Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
11 CVE-2021-21622 79 XSS 2021-02-24 2021-02-27
3.5
None Remote Medium ??? None Partial None
Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
12 CVE-2021-21619 79 XSS 2021-02-24 2021-02-27
3.5
None Remote Medium ??? None Partial None
Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.
13 CVE-2021-21618 79 XSS 2021-02-24 2021-02-27
3.5
None Remote Medium ??? None Partial None
Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
14 CVE-2021-21616 79 XSS 2021-02-24 2021-02-27
3.5
None Remote Medium ??? None Partial None
Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
15 CVE-2021-21615 367 2021-01-26 2021-02-02
3.5
None Remote Medium ??? Partial None None
Jenkins 2.275 and LTS 2.263.2 allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.
16 CVE-2021-21611 79 XSS 2021-01-13 2021-01-15
3.5
None Remote Medium ??? None Partial None
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.
17 CVE-2021-21608 79 XSS 2021-01-13 2021-01-15
3.5
None Remote Medium ??? None Partial None
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.
18 CVE-2021-21603 79 XSS 2021-01-13 2021-01-15
3.5
None Remote Medium ??? None Partial None
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.
19 CVE-2020-2317 79 XSS 2020-11-04 2020-11-10
3.5
None Remote Medium ??? None Partial None
Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin's post build step.
20 CVE-2020-2316 79 XSS 2020-11-04 2020-11-10
3.5
None Remote Medium ??? None Partial None
Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
21 CVE-2020-2292 79 XSS 2020-10-08 2020-10-15
3.5
None Remote Medium ??? None Partial None
Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.
22 CVE-2020-2290 79 XSS 2020-10-08 2020-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins Active Choices Plugin 2.4 and earlier does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
23 CVE-2020-2289 79 XSS 2020-10-08 2020-10-09
3.5
None Remote Medium ??? None Partial None
Jenkins Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
24 CVE-2020-2283 79 XSS 2020-09-23 2020-09-28
3.5
None Remote Medium ??? None Partial None
Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control changeset files evaluated by the plugin.
25 CVE-2020-2271 79 XSS 2020-09-16 2020-09-18
3.5
None Remote Medium ??? None Partial None
Jenkins Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
26 CVE-2020-2270 79 XSS 2020-09-16 2020-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
27 CVE-2020-2269 79 XSS 2020-09-16 2020-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.
28 CVE-2020-2266 79 XSS 2020-09-16 2020-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
29 CVE-2020-2265 79 XSS 2020-09-16 2020-09-18
3.5
None Remote Medium ??? None Partial None
Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.
30 CVE-2020-2264 79 XSS 2020-09-16 2020-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
31 CVE-2020-2263 79 XSS 2020-09-16 2020-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
32 CVE-2020-2262 79 XSS 2020-09-16 2020-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.
33 CVE-2020-2259 79 XSS 2020-09-16 2020-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
34 CVE-2020-2257 79 XSS 2020-09-16 2020-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
35 CVE-2020-2256 79 XSS 2020-09-16 2020-09-16
3.5
None Remote Medium ??? None Partial None
Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
36 CVE-2020-2254 22 Dir. Trav. 2020-09-16 2020-09-18
3.5
None Remote Medium ??? Partial None None
Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.
37 CVE-2020-2246 79 XSS 2020-09-01 2020-09-04
3.5
None Remote Medium ??? None Partial None
Jenkins Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents.
38 CVE-2020-2244 79 XSS 2020-09-01 2020-09-04
3.5
None Remote Medium ??? None Partial None
Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.
39 CVE-2020-2243 79 XSS 2020-09-01 2020-09-04
3.5
None Remote Medium ??? None Partial None
Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
40 CVE-2020-2238 79 XSS 2020-09-01 2020-09-04
3.5
None Remote Medium ??? None Partial None
Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
41 CVE-2020-2236 79 XSS 2020-08-12 2020-08-13
3.5
None Remote Medium ??? None Partial None
Jenkins Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.
42 CVE-2020-2231 79 XSS 2020-08-12 2020-12-18
3.5
None Remote Medium ??? None Partial None
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
43 CVE-2020-2230 79 XSS 2020-08-12 2020-12-11
3.5
None Remote Medium ??? None Partial None
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
44 CVE-2020-2229 79 XSS 2020-08-12 2020-12-11
3.5
None Remote Medium ??? None Partial None
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.
45 CVE-2020-2227 79 XSS 2020-07-15 2020-07-22
3.5
None Remote Medium ??? None Partial None
Jenkins Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.
46 CVE-2020-2226 79 XSS 2020-07-15 2020-07-22
3.5
None Remote Medium ??? None Partial None
Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.
47 CVE-2020-2225 79 XSS 2020-07-15 2020-07-21
3.5
None Remote Medium ??? None Partial None
Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability.
48 CVE-2020-2224 79 XSS 2020-07-15 2020-07-21
3.5
None Remote Medium ??? None Partial None
Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability.
49 CVE-2020-2223 79 XSS 2020-07-15 2020-07-21
3.5
None Remote Medium ??? None Partial None
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.
50 CVE-2020-2222 79 XSS 2020-07-15 2020-07-21
3.5
None Remote Medium ??? None Partial None
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.
Total number of vulnerabilities : 127   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.