CVE-2018-1000177

MEDIUM

Jenkins S3 Plugin < 0.10.12 - Stored Cross-Site Scripting via Uploaded File Names

Title source: llm

Description

A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://jenkins.io/security/advisory/2018-04-16/

Scores

CVSS v3 5.4

EPSS 0.0006

EPSS Percentile 18.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

jenkins/s3_publisher < 0.10.12

org.jenkins-ci.plugins/s3 0 - 0.11.0Maven

Published May 08, 2018

Tracked Since Feb 18, 2026