Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32652

XSS in Possible Next Executions widget

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: next-executions-plugin
    • Labels:
      None
    • Environment:
      Jenkins: 1.645
      next-executions: 1.0.10
    • Similar Issues:

      Description

      You can inject HTML code by set job display name (Configuration -> Advanced Project Options ). I set JOB <script>alert('foo');</script> and get alert with "foo" text.

        Attachments

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Ignacio Albors
          Path:
          src/main/java/hudson/plugins/nextexecutions/NextBuilds.java
          http://jenkins-ci.org/commit/next-executions-plugin/bd95c4d4476d1191d8eb0535be40328f38f3c0c1
          Log:
          Fixes JENKINS-32652.

          Escape the display name in order to avoid injection of HTML or JS code.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Ignacio Albors Path: src/main/java/hudson/plugins/nextexecutions/NextBuilds.java http://jenkins-ci.org/commit/next-executions-plugin/bd95c4d4476d1191d8eb0535be40328f38f3c0c1 Log: Fixes JENKINS-32652 . Escape the display name in order to avoid injection of HTML or JS code.
          Hide
          ialbors Ignacio Albors added a comment -

          Fixed in 1.0.11

          Show
          ialbors Ignacio Albors added a comment - Fixed in 1.0.11
          Hide
          agabrys Adam Gabryś added a comment -

          Tested - works correctly! Thank you.

          Show
          agabrys Adam Gabryś added a comment - Tested - works correctly! Thank you.
          Hide
          ialbors Ignacio Albors added a comment -

          Thank you for the warning.

          Show
          ialbors Ignacio Albors added a comment - Thank you for the warning.

            People

            Assignee:
            ialbors Ignacio Albors
            Reporter:
            agabrys Adam Gabryś
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: