CVE-2019-10475

MEDIUM NUCLEI

Jenkins build-metrics < 1.3 - Reflected Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-10475. PoCs published by vesche. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in the Jenkins build-metrics plugin 1.3 and below. It constructs a malicious URL with an injectable 'label' parameter to trigger the XSS payload.

Description

A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

Exploits (2)

exploitdb WORKING POC
by vesche · pythonwebappsjava
https://www.exploit-db.com/exploits/47598

This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in the Jenkins build-metrics plugin 1.3 and below. It constructs a malicious URL with an injectable 'label' parameter to trigger the XSS payload.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Jenkins build-metrics plugin 1.3 and below
No auth needed
Prerequisites: Access to the Jenkins instance with the vulnerable plugin
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 13 stars
by vesche · poc
https://github.com/vesche/CVE-2019-10475

This repository contains a functional Python script that demonstrates a reflected XSS vulnerability in the Jenkins build-metrics plugin (CVE-2019-10475). The exploit constructs a malicious URL with an injected script payload in the 'label' parameter, which is not properly escaped by the plugin.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Jenkins build-metrics plugin 1.3
No auth needed
Prerequisites: Access to the Jenkins build-metrics plugin endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Jenkins build-metrics 1.3 - Cross-Site Scripting
MEDIUMby madrobot

References (3)

Core 3
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/10/23/2

Scores

CVSS v3 6.1
EPSS 0.9244
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
jenkins/build-metrics < 1.3
org.jenkins-ci.plugins/build-metrics 0Maven
Published Oct 23, 2019
Tracked Since Feb 18, 2026