Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Minor
Component/s: test-results-analyzer-plugin
Labels:
None

Description

Test Results Analyzer lack of escape in TestResultsAnalyzerAction/index.jelly#L211-L214.

It’s also possible to deface the application dues to TestResultsAnalyzerAction/index.jelly#L25-L37.

This results in a stored cross-site scripting (XSS) vulnerability exploitable only by attackers with Overall/Administer permission.

We don't consider it a security vulnerability, because you need administer permission to exploit it and as an administer you can already do all the impact of a XSS.

Recommendation

(minimum) escape the variable, with Util.escape (from Jenkins Core),
(better) or inject the Java variable value following best practice from https://www.jenkins.io/doc/developer/security/xss-prevention/#passing-values-to-javascript.

Assignee:: Varun Menon
Reporter:: Kevin Guerroudj
Votes:: 0 Vote for this issue
Watchers:: 1 Start watching this issue

Created:: 2022-06-29 10:05
Updated:: 2022-06-29 10:06

Details

Description

Attachments

Activity

People

Dates