Vulnerabilities > Jenkins > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-06-23 CVE-2022-34170 Cross-site Scripting vulnerability in Jenkins 2.333/2.334
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
network
low complexity
jenkins CWE-79
5.4
2022-06-23 CVE-2022-34171 Cross-site Scripting vulnerability in Jenkins 2.333/2.334
In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.
network
low complexity
jenkins CWE-79
5.4
2022-06-23 CVE-2022-34172 Cross-site Scripting vulnerability in Jenkins
In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.
network
low complexity
jenkins CWE-79
5.4
2022-06-23 CVE-2022-34173 Cross-site Scripting vulnerability in Jenkins
In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
network
low complexity
jenkins CWE-79
5.4
2022-06-23 CVE-2022-34176 Cross-site Scripting vulnerability in Jenkins Junit
Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
network
low complexity
jenkins CWE-79
5.4
2022-06-23 CVE-2022-34178 Cross-site Scripting vulnerability in Jenkins Embeddable Build Status 2.0.3
Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability.
network
low complexity
jenkins CWE-79
6.1
2022-06-23 CVE-2022-34182 Cross-site Scripting vulnerability in Jenkins Nested View
Jenkins Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters, resulting in a reflected cross-site scripting (XSS) vulnerability.
network
low complexity
jenkins CWE-79
6.1
2022-06-23 CVE-2022-34183 Cross-site Scripting vulnerability in Jenkins Agent Server Parameter 1.0/1.1
Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
network
low complexity
jenkins CWE-79
5.4
2022-06-23 CVE-2022-34184 Cross-site Scripting vulnerability in Jenkins CRX Content Package Deployer
Jenkins CRX Content Package Deployer Plugin 1.9 and earlier does not escape the name and description of CRX Content Package Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
network
low complexity
jenkins CWE-79
5.4
2022-06-23 CVE-2022-34185 Cross-site Scripting vulnerability in Jenkins Date Parameter
Jenkins Date Parameter Plugin 0.0.4 and earlier does not escape the name and description of Date parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
network
low complexity
jenkins CWE-79
5.4