oss-sec mailing list archives
Reflected Cross-Site Scripting Vulnerability in Jenkins Delivery Pipeline Plugin
From: Daniel Beck <ml () beckweb net>
Date: Thu, 16 Nov 2017 16:23:55 +0100
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following plugin releases contain fixes for security vulnerabilities: * Delivery Pipeline Plugin 1.0.8 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2017-11-16/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you find security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-640 Delivery Pipeline Plugin used the unescaped content of the query parameter `fullscreen` in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs.
Current thread:
- Reflected Cross-Site Scripting Vulnerability in Jenkins Delivery Pipeline Plugin Daniel Beck (Nov 16)
- Re: Reflected Cross-Site Scripting Vulnerability in Jenkins Delivery Pipeline Plugin Daniel Beck (Nov 17)