CVE-2018-1000170
Description
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another users browser when that other user performs some UI actions.
Risk Information
Base Score
5.4
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.215
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities affected in Jenkins 2.107.1 | Windows |
| Vulnerabilities CVE-2018-1000170,CVE-2018-1000169 are fixed in Jenkins-Core 2.116 | Windows |
| Vulnerabilities CVE-2018-1000170,CVE-2018-1000169 are fixed in Jenkins-Core 2.107.2 | Windows |
| Multiple vulnerabilities affected in Jenkins 2.107.1 (For Ubuntu) | Linux |
| Multiple vulnerabilities affected in Jenkins 2.107.1 (For Debian) | Linux |
| Multiple vulnerabilities affected in Jenkins 2.107.1 (For Centos) | Linux |
| Multiple vulnerabilities affected in Jenkins 2.107.1 (For RedHat) | Linux |
| Multiple vulnerabilities affected in Jenkins 2.107.1 (For Suse) | Linux |
| Vulnerabilities CVE-2018-1000170,CVE-2018-1000169 are fixed in Jenkins-Core for Linux 2.116 | Linux |
| Vulnerabilities CVE-2018-1000170,CVE-2018-1000169 are fixed in Jenkins-Core for Linux 2.107.2 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234