CVE-2019-1003013

Description

An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a users description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.

Risk Information

Base Score

5.4

MODERATE

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Score

Exploitation Probability

0.061

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2019-1003013,CVE-2019-1003012 are fixed in Jenkins - blueocean 1.10.2	Windows
Vulnerabilities CVE-2019-1003013,CVE-2019-1003012 are fixed in Jenkins - blueocean for Linux 1.10.2	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234