CVE-2018-1000604
MEDIUMJenkins Badge Plugin < 1.4 - Stored Cross-Site Scripting in BadgeSummaryAction.java and HtmlBadgeAction.java
Title source: llmDescription
A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2018-06-25/#SECURITY-906
Scores
CVSS v3
5.4
EPSS
0.0006
EPSS Percentile
18.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
jenkins/badge
< 1.4
org.jenkins-ci.plugins/badge
0 - 1.5Maven
Published
Jun 26, 2018
Tracked Since
Feb 18, 2026