CVE-2019-10383
MEDIUMJenkins < 2.176.3 - Authenticated Stored Cross-Site Scripting via Update Site URL Configuration
Title source: llmDescription
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/08/28/4
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2789
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3144
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1453
Scores
CVSS v3
4.8
EPSS
0.0029
EPSS Percentile
52.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (6)
jenkins/jenkins
< 2.176.2
jenkins/jenkins
< 2.191
oracle/communications_cloud_native_core_automated_test_suite
1.9.0
org.jenkins-ci.main/jenkins-core
0 - 2.176.3Maven
redhat/openshift_container_platform
3.11
redhat/openshift_container_platform
4.1
Published
Aug 28, 2019
Tracked Since
Feb 18, 2026