Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-09-16 | CVE-2020-2266 | Cross-site Scripting vulnerability in Jenkins Description Column Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
| 2020-09-16 | CVE-2020-2265 | Cross-site Scripting vulnerability in Jenkins Coverage/Complexity Scatter Plot Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step. | 5.4 |
| 2020-09-16 | CVE-2020-2264 | Cross-site Scripting vulnerability in Jenkins Custom JOB Icon 0.1/0.2 Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
| 2020-09-16 | CVE-2020-2263 | Cross-site Scripting vulnerability in Jenkins Radiator View Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
| 2020-09-16 | CVE-2020-2262 | Cross-site Scripting vulnerability in Jenkins Android Lint Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step. | 5.4 |
| 2020-09-16 | CVE-2020-2260 | Missing Authorization vulnerability in Jenkins Perfecto A missing permission check in Jenkins Perfecto Plugin 1.17 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials. | 4.3 |
| 2020-09-16 | CVE-2020-2259 | Cross-site Scripting vulnerability in Jenkins Computer Queue Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. | 5.4 |
| 2020-09-16 | CVE-2020-2258 | Incorrect Authorization vulnerability in Jenkins Health Advisor BY Cloudbees Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint. | 4.3 |
| 2020-09-16 | CVE-2020-2257 | Cross-site Scripting vulnerability in Jenkins Validating String Parameter Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |
| 2020-09-16 | CVE-2020-2256 | Cross-site Scripting vulnerability in Jenkins Pipeline Maven Integration Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | 5.4 |