CVE-2018-1000177
Stored XSS vulnerability in Jenkins S3 Publisher Plugin
5.4
MEDIUM
CVSS 3.1
EPSS 0.06%
Description
A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions.
How to fix CVE-2018-1000177
To remediate CVE-2018-1000177, upgrade the affected package to a fixed version below.
- —upgrade to 0.11.0 or later
Is CVE-2018-1000177 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.11.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |