Vulnerabilities > Jenkins > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-25 | CVE-2019-10410 | Cross-site Scripting vulnerability in Jenkins LOG Parser Jenkins Log Parser Plugin 2.0 and earlier did not escape an error message, resulting in a cross-site scripting vulnerability exploitable by users able to define log parsing rules. | 5.4 |
| 2019-09-25 | CVE-2019-10409 | Missing Authorization vulnerability in Jenkins Project Inheritance A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers with Overall/Read permission to trigger project generation from templates. | 4.3 |
| 2019-09-25 | CVE-2019-10408 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Project Inheritance A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates. | 4.3 |
| 2019-09-25 | CVE-2019-10407 | Information Exposure vulnerability in Jenkins Project Inheritance Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin. | 6.5 |
| 2019-09-25 | CVE-2019-10406 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission. | 4.8 |
| 2019-09-25 | CVE-2019-10405 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly. | 5.4 |
| 2019-09-25 | CVE-2019-10404 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors. | 5.4 |
| 2019-09-25 | CVE-2019-10403 | Cross-site Scripting vulnerability in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions. | 5.4 |
| 2019-09-25 | CVE-2019-10402 | Cross-site Scripting vulnerability in Jenkins In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents. | 5.4 |
| 2019-09-25 | CVE-2019-10401 | Cross-site Scripting vulnerability in Jenkins In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure). | 5.4 |