Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32652

XSS in Possible Next Executions widget

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: next-executions-plugin
    • Labels:
      None
    • Environment:
      Jenkins: 1.645
      next-executions: 1.0.10
    • Similar Issues:

      Description

      You can inject HTML code by set job display name (Configuration -> Advanced Project Options ). I set JOB <script>alert('foo');</script> and get alert with "foo" text.

        Attachments

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Ignacio Albors
          Path:
          src/main/java/hudson/plugins/nextexecutions/NextBuilds.java
          http://jenkins-ci.org/commit/next-executions-plugin/bd95c4d4476d1191d8eb0535be40328f38f3c0c1
          Log:
          Fixes JENKINS-32652.

          Escape the display name in order to avoid injection of HTML or JS code.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Ignacio Albors Path: src/main/java/hudson/plugins/nextexecutions/NextBuilds.java http://jenkins-ci.org/commit/next-executions-plugin/bd95c4d4476d1191d8eb0535be40328f38f3c0c1 Log: Fixes JENKINS-32652 . Escape the display name in order to avoid injection of HTML or JS code.
          Hide
          ialbors Ignacio Albors added a comment -

          Fixed in 1.0.11

          Show
          ialbors Ignacio Albors added a comment - Fixed in 1.0.11
          Hide
          agabrys Adam Gabryś added a comment -

          Tested - works correctly! Thank you.

          Show
          agabrys Adam Gabryś added a comment - Tested - works correctly! Thank you.
          Hide
          ialbors Ignacio Albors added a comment -

          Thank you for the warning.

          Show
          ialbors Ignacio Albors added a comment - Thank you for the warning.

            People

            • Assignee:
              ialbors Ignacio Albors
              Reporter:
              agabrys Adam Gabryś
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: