CVE-2021-21700 - Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking t

CVE-2021-21700

Summary

Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.

References

Vulnerable Configurations

cpe:2.3:a:jenkins:scriptler:-:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:scriptler:-:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:scriptler:3.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:scriptler:3.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:scriptler:3.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:scriptler:3.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:scriptler:3.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:scriptler:3.3:*:*:*:*:jenkins:*:*

CVSS

Base:	3.5 (as of 25-10-2023 - 18:16)
Impact:
Exploitability:

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:S/C:N/I:P/A:N

Last major update

25-10-2023 - 18:16

Published

12-11-2021 - 11:15

Last modified

25-10-2023 - 18:16