CVE-2018-1000604 Information

Description

A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user’s browser when that other user performs some UI actions.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://jenkins.io/security/advisory/2018-06-25/SECURITY-906

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4