Jenkins Delivery Pipeline Plugin Cross-site Scripting vulnerability
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Jan 28, 2023
Package
Affected versions
<= 1.0.7
Patched versions
1.0.8
Description
Published by the National Vulnerability Database
Jan 26, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Dec 12, 2022
Last updated
Jan 28, 2023
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter 'fullscreen' in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. Version 1.0.8 of the plugin converts the value to a boolean (true/false) and inserts that into the page instead.
References